Listen to this Post
The vulnerability exists in `awslabs/tough` versions prior to `v0.22.0` and `tuftool` prior to v0.15.0. The `load_delegations` function does not enforce expiration timestamps, hash verification, or length checks on delegated targets metadata, unlike the validation applied to top-level `targets` metadata. An authenticated remote user who possesses delegated signing authority can craft expired, truncated, or otherwise invalid delegated metadata. When the TUF client (tough) loads this metadata, it bypasses integrity checks and caches the malicious content locally. This violates the TUF specification because the client should reject any expired or improperly signed delegated targets. The flaw stems from incomplete validation logic in the delegation chain; the code does not call the same verification routines that are used for the root or top-level targets role. An attacker can therefore poison the client’s metadata cache, causing it to trust and serve outdated, revoked, or tampered target files from a repository.
dailycve form
Platform: awslabs/tough
Version: 0.9.0–0.21.x
Vulnerability: Missing validation delegation
Severity: High
date: 2024-01-15 (approx)
Prediction: Patch already available
What Undercode Say:
Check tough version
pip show tough | grep Version
Verify if vulnerable (0.9.0 to 0.21.x)
if pip show tough | grep -q "Version: 0.(9|1[0-9]|20|21)"; then echo "VULNERABLE"; else echo "OK"; fi
Upgrade to fixed version
pip install --upgrade tough==0.22.0
For tuftool
cargo install tuftool --version 0.15.0
Simulate missing hash check (conceptual)
curl -X POST https://repo.example.com/metadata/delegated.json \
-d '{"expires": "2020-01-01", "length": 0, "hashes": {}}'
Exploit:
Attacker with delegated signing privileges serves a delegated targets metadata file lacking hash, with expired timestamp, and truncated length. Client loads it via `load_delegations` → no expiration verification → no hash match → no length check → cached as valid → subsequent target requests use poisoned data.
Protection from this CVE:
Upgrade to tough ≥0.22.0 or tuftool ≥0.15.0. If patching impossible, avoid granting delegated signing authority to untrusted users. Manually verify all delegated metadata expiration and hashes using external tooling before client ingestion.
Impact:
Compromised integrity of TUF metadata cache; client may trust expired or malicious target files; enables rollback attacks (serve old vulnerable binaries) and denial of service via zero-length or corrupted targets.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
