How the CVE Works
The vulnerability occurs when the Tough TUF client fails to enforce sequential version validation during root metadata updates. When fetching new root metadata versions, Tough does not verify if the received version is the immediate successor of the previously trusted version. An attacker controlling the repository storage can replace a current metadata file with a signed older version, tricking the client into trusting outdated or revoked keys. This allows the attacker to manipulate package updates, leading to potential supply chain attacks.
DailyCVE Form
Platform: TUF Client
Version: <0.20.0
Vulnerability: Metadata Rollback
Severity: Critical
Date: 2024-XX-XX
What Undercode Say:
Exploitation:
- Attack Vector: An attacker replaces `root.json` with a prior signed version.
- Impact: Client accepts malicious packages signed by old keys.
3. Proof of Concept:
curl -O https://repo/1.root.json Legitimate curl -O https://repo/3.root.json Attacker skips v2
Protection:
1. Patch: Upgrade to Tough ≥0.20.0.
2. Validation Check:
// Example fix in Rust (Tough)
if new_version != old_version + 1 {
return Err("Invalid version jump");
}
3. Monitoring:
grep -r "root.json" /tuf-repo Detect tampering
Analytics:
- CVSS Score: 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- Affected Systems: AWS IoT, container registries using Tough.
Mitigation Commands:
Check installed version: cargo tree | grep tough Force upgrade: cargo update -p tough --precise 0.20.0
References:
End of Report.
References:
Reported By: https://github.com/advisories/GHSA-5vmp-m5v2-hx47
Extra Source Hub:
Undercode
