SB2022090678 - Incorrect authorization in The Update Framework (TUF)

Description

This security bulletin contains information about 1 vulnerability.

1) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass root metadata signature threshold verification.

The vulnerability exists due to improper access control in _verify_root_self_signed() when verifying self-signatures in new root metadata. A remote user can provide multiple signatures from a single new root key to bypass root metadata signature threshold verification.

Exploitation requires control of one new root key, a valid threshold of old trusted root keys to sign the new root metadata, publication of that metadata on the repository, and client rotation to the new root metadata.

Remediation

Install update from vendor's website.

References

• https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-r7vq-6425-j94w
• https://github.com/theupdateframework/tuf/commit/83ac7be525b733f79a7e9bc573ec580ec835f179