Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB3cWYtOWg3ai03bXY4

Incorrect threshold signature computation in TUF

Impact

Metadadata signature verification, as used in tuf.client.updater, counted each of multiple signatures with identical authorized keyids separately towards the threshold. Therefore, an attacker with access to a valid signing key could create multiple valid signatures in order to meet the minimum threshold of keys before the metadata was considered valid.

The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.

Patches

A fix is available in version 0.12.2 or newer.

Workarounds

No workarounds are known for this issue.

References

• CVE-2020-6174
• Pull request resolving the issue PR 974

Permalink: https://github.com/advisories/GHSA-pwqf-9h7j-7mv8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB3cWYtOWg3ai03bXY4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: 3 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00197
EPSS Percentile: 0.57505

Identifiers: GHSA-pwqf-9h7j-7mv8, CVE-2020-6174
References:

• https://github.com/theupdateframework/tuf/security/advisories/GHSA-pwqf-9h7j-7mv8
• https://nvd.nist.gov/vuln/detail/CVE-2020-6174
• https://github.com/theupdateframework/tuf/pull/974
• https://github.com/theupdateframework/python-tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e
• https://github.com/pypa/advisory-database/tree/main/vulns/tuf/PYSEC-2020-147.yaml
• https://github.com/theupdateframework/tuf/releases/tag/v0.12.2
• https://github.com/advisories/GHSA-pwqf-9h7j-7mv8

Repository: https://github.com/theupdateframework/tuf
Blast Radius: 15.6

Affected Packages