Bgilbert

Name of the Vulnerable Software and Affected Versions: coreos-installer versions prior to 0.10.1 Description: An improper signature verification issue was found in coreos-installer, allowing a specially crafted gzip installation image to bypass image signature verification. This can lead to the installation of unsigned content, enabling an attacker who can modify the original installation image to write arbitrary data and achieve full access to the node being installed. The issue affects installations using `--image-file`, `--image-url`, or `coreos.inst.image url`, as well as `coreos-installer download --decompress --image-url` when the hosting service is compromised or an active attacker gains control of the HTTPS response. Recommendations: For versions prior to 0.10.1, update to coreos-installer version 0.10.1 to resolve the issue. As a temporary workaround, for `coreos-installer download`, do not use the `-d` or `--decompress` options. For `coreos-installer install`, manually inspect the stderr output, and if `BAD signature` appears, do not boot from the target disk.