PT-2020-18981 · Update Framework · Tuf
Erik Maclean
·
Published
2020-02-05
·
Updated
2020-08-21
·
CVE-2020-6174
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
TUF (aka The Update Framework) versions prior to 0.7.1
TUF (aka The Update Framework) through 0.12.1
Description
The issue is related to improper verification of cryptographic signatures, allowing someone with access to a valid signing key to create multiple valid signatures and circumvent the requirement of a minimum threshold of unique keys. This enables an attacker to make the metadata appear valid. A fix is available, and the issue was reported by Erick Tryzelaar of the Google Fuchsia Team.
Recommendations
For TUF (aka The Update Framework) versions prior to 0.7.1, update to version 0.7.1 to resolve the issue.
For TUF (aka The Update Framework) through 0.12.1, update to a version later than 0.12.1 to resolve the issue.
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tuf