Security restrictions bypass in Go implementation of The Update Framework (TUF)



Published: 2022-07-26
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-29173
CWE-ID CWE-354
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Go implementation of The Update Framework (TUF)
Universal components / Libraries / Programming Languages & Components

Vendor The Update Framework

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper validation of integrity check value

EUVDB-ID: #VU65785

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-29173

CWE-ID: CWE-354 - Improper Validation of Integrity Check Value

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass expected security restrictions.

The vulnerability exists due to incorrect implementation of the client workflow for updating the metadata files for roles other than the root role. Checks for rollback attacks are not implemented correctly, as a result a remote attacker can force clients to install older versions of software that may contain security vulnerabilities.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Go implementation of The Update Framework (TUF) : 0.1.0 - 0.2.0

External links

http://github.com/theupdateframework/go-tuf/commit/ed6788e710fc3093a7ecc2d078bf734c0f200d8d
http://github.com/theupdateframework/go-tuf/security/advisories/GHSA-66x3-6cw3-v5gj


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###