#VU65785 Improper validation of integrity check value in Go implementation of The Update Framework (TUF) - CVE-2022-29173

Cybersecurity Help s.r.o.

Published: 2022-07-26

Vulnerability identifier: #VU65785

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-29173

CWE-ID: CWE-354

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go implementation of The Update Framework (TUF)
Universal components / Libraries / Programming Languages & Components

Vendor: The Update Framework

Description

The vulnerability allows a remote attacker to bypass expected security restrictions.

The vulnerability exists due to incorrect implementation of the client workflow for updating the metadata files for roles other than the root role. Checks for rollback attacks are not implemented correctly, as a result a remote attacker can force clients to install older versions of software that may contain security vulnerabilities.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go implementation of The Update Framework (TUF) : 0.1.0 - 0.2.0

External links
https://github.com/theupdateframework/go-tuf/commit/ed6788e710fc3093a7ecc2d078bf734c0f200d8d
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-66x3-6cw3-v5gj

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes

Security restrictions bypass in Go implementation of The Update Framework (TUF)