TUF (aka The Update Framework) 0.7.2 through 0.12.1 Uncontrolled Resource Consumption Vulnerability

Summary

While maximum file size is restricted for downloading, the client may attempt to validate a large number of signatures. We have been able to add over 500 copies of the same invalid signature into the root.json file, which results in the client attempting to validate each one, spending several minutes on validation. The file size limit of target.json is larger and may allow up to 5000 signatures, further increasing the amount of time spent in validation.

Credit:

The information has been provided by Erik MacLean

The original article can be found at:https://github.com/theupdateframework/tuf/issues/973


Details

TUF (aka The Update Framework) 0.7.2 through 0.12.1 allows Uncontrolled Resource Consumption.

 

Vulnerable Systems:

TUF (aka The Update Framework) 0.7.2 through 0.12.1

 

CVE Information:

CVE-2020-6173

 

Disclosure Timeline:
Published Date:1/14/2020

Categories: News