GHSA-HHFG-FWRW-87W7

Vulnerability from github – Published: 2024-12-11 18:42 – Updated: 2024-12-11 18:42
VLAI?
Summary
sigstore has insufficient validation of integration timestamp during verification
Details

Summary

Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified if a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present.

This does not affect "v1" bundles, as the "v1" bundle format always requires an inclusion promise.

Details

Sigstore uses signed time to support verification of signatures made against short-lived signing keys.

Impact

The impact and severity of this weakness is low, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify).

Separately, an attacker could upload a new entry to the transparency service, and substitute their new entry's time. However, this would still be rejected at validation time, as the new entry's (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable.

Severity ?
2.7 (Low)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sigstore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "3.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-325"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-11T18:42:00Z",
    "nvd_published_at": "2024-12-10T23:15:06Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nVersions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the \"integration time\" present in \"v2\" and \"v3\" bundles during the verification flow: the \"integration time\" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present.\n\nThis does not affect \"v1\" bundles, as the \"v1\" bundle format always requires an inclusion promise.\n\n### Details\n\nSigstore uses signed time to support verification of signatures made against short-lived signing keys. \n\n### Impact\n\nThe impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify).\n\nSeparately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry\u0027s time. However, this would still be rejected at validation time, as the new entry\u0027s (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable.\n",
  "id": "GHSA-hhfg-fwrw-87w7",
  "modified": "2024-12-11T18:42:00Z",
  "published": "2024-12-11T18:42:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55655"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sigstore/sigstore-python"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-python/releases/tag/v3.6.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "sigstore has insufficient validation of integration timestamp during verification"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.