PT-2022-23147 · Cosign+1 · Cosign+1
Asraa
+2
·
Published
2022-09-14
·
Updated
2024-06-15
·
CVE-2022-36056
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
cosign versions prior to 1.12.0
Description
A number of issues have been found in cosign verify-blob, where cosign would successfully verify an artifact when verification should have failed. These issues include:
- a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature,
- when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked,
- providing an invalid Rekor bundle without the experimental flag results in a successful verification,
- an invalid transparency log entry will result in immediate success for verification.
Recommendations
For versions prior to 1.12.0, update to version 1.12.0 to resolve the issues.
As a temporary workaround for the first issue, consider extracting the signature and certificate from the bundle and using them for verification instead of the bundle, by running
cosign verify-blob blob1 --signature $(jq -r '.base64Signature' bundle1) --certificate $(jq -r '.cert' bundle1).
However, note that this workaround may make a network call to Rekor and could be subject to the fourth issue.
For the other issues, there are no workarounds, and users should update to version 1.12.0.Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Suse
Cosign