GHSA-vqv5-385r-2hf8

Suggest an improvement
Source
https://github.com/advisories/GHSA-vqv5-385r-2hf8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-vqv5-385r-2hf8/GHSA-vqv5-385r-2hf8.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vqv5-385r-2hf8
Aliases
Published
2025-02-05T21:30:35Z
Modified
2025-02-06T18:05:15Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Contrast's unauthenticated recovery allows Coordinator impersonation
Details

Impact

Recovering coordinators do not verify the seed provided by the recovering party. This allows an attacker to set up a coordinator with a manifest that passes validation, but with a secret seed controlled by the attacker.

If network traffic is redirected from the legitimate coordinator to the attacker's coordinator, a workload owner is susceptible to impersonation if either

  • they set a new manifest and don't compare the root CA cert with the existing one (this is the default of the contrast CLI) or
  • they verify the coordinator and don't compare the root CA cert with a trusted reference.

Under these circumstances, the attacker can:

  • Issue certificates that chain back to the attacker coordinator's root CA.
  • Recover arbitrary workload secrets of workloads deployed after the attack.

This issue does not affect the following:

  • secrets of the legitimate coordinator (seed, workload secrets, CA)
  • integrity of workloads, even when used with the rogue coordinator
  • certificates chaining back to the mesh CA

Patches

This issue is patched in Contrast v1.4.1.

Workarounds

The issue can be avoided by verifying the coordinator root CA cert against expectations.

  • At the first set call, keep a copy of the CA cert returned by the coordinator.
  • After subsequent set or verify calls, compare the returned CA cert with the backup copy. If it matches bit-for-bit, the coordinator is legitimate.
Database specific 
{
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-05T21:30:35Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-285"
    ]
}
References

Affected packages

Go / github.com/edgelesssys/contrast

Package

Name
github.com/edgelesssys/contrast
View open source insights on deps.dev
Purl
pkg:golang/github.com/edgelesssys/contrast

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.1

Database specific 

{
    "last_known_affected_version_range": "<= 1.4.0"
}