Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mbWo3LTdnZnctNjRwZ84ABARb
Agent Dart is missing certificate verification checks
Certificate verification (in lib/agent/certificate.dart) has been found to contain two issues:
- During the delegation verification (in _checkDelegation function) the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. You have more details in the IC specification here. Also for reference you can check how is this implemented in the agent-rs.
- The certificate’s timestamp, i.e /time path, is not verified, meaning that the certificate effectively has no expiration time. The IC spec doesn’t specify an expiry times, it gives some suggestions, quoting: "A reasonable expiry time for timestamps in R.signatures and the certificate Cert is 5 minutes (analogously to the maximum allowed ingress expiry enforced by the IC mainnet). Delegations require expiry times of at least a week since the IC mainnet refreshes the delegations only after replica upgrades which typically happen once a week". For reference you can check how is this implemented in the agent-rs (here and here).
Additionally, seems replica signed queries aren’t implemented
Permalink: https://github.com/advisories/GHSA-fmj7-7gfw-64pgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mbWo3LTdnZnctNjRwZ84ABARb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 7 hours ago
Updated: about 1 hour ago
Identifiers: GHSA-fmj7-7gfw-64pg, CVE-2024-48915
References:
- https://github.com/AstroxNetwork/agent_dart/security/advisories/GHSA-fmj7-7gfw-64pg
- https://github.com/AstroxNetwork/agent_dart/commit/0d200686aabcd9313c7bc3e675cbdc82f6b775cf
- https://nvd.nist.gov/vuln/detail/CVE-2024-48915
- https://github.com/AstroxNetwork/agent_dart/blob/f50971dfae3f536c1720f0084f28afbcf5d99cb5/lib/agent/certificate.dart#L162
- https://github.com/AstroxNetwork/agent_dart/blob/main/lib/agent/certificate.dart
- https://github.com/advisories/GHSA-fmj7-7gfw-64pg
Blast Radius: 0.0
Affected Packages
pub:agent_dart
Dependent packages: 3Dependent repositories: 5
Downloads:
Affected Version Ranges: <= 1.0.0-dev.28
Fixed in: 1.0.0-dev.29
All affected versions: 0.0.1, 0.0.2, 0.0.4, 0.0.5, 0.0.6, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.14, 0.1.15, 0.1.15, 0.1.15, 0.1.16, 0.1.16, 0.1.16, 0.1.17, 0.1.17, 0.1.18, 0.1.19, 0.1.19, 0.1.19, 0.1.19, 0.1.19, 0.1.21, 0.1.22, 0.1.22, 0.1.23, 0.1.23, 0.1.24, 0.1.24, 1.0.0-dev.1, 1.0.0-dev.2, 1.0.0-dev.3, 1.0.0-dev.4, 1.0.0-dev.5, 1.0.0-dev.6, 1.0.0-dev.7, 1.0.0-dev.8, 1.0.0-dev.9, 1.0.0-dev.10, 1.0.0-dev.11, 1.0.0-dev.13, 1.0.0-dev.14, 1.0.0-dev.15, 1.0.0-dev.16, 1.0.0-dev.17, 1.0.0-dev.18, 1.0.0-dev.19, 1.0.0-dev.20, 1.0.0-dev.21, 1.0.0-dev.22, 1.0.0-dev.23, 1.0.0-dev.24, 1.0.0-dev.25, 1.0.0-dev.26, 1.0.0-dev.27, 1.0.0-dev.28
All unaffected versions: