GHSA-w7wm-2425-7p2h – github.com/edgelesssys/marblerun

Package

Manager: go
Name: github.com/edgelesssys/marblerun
Vulnerable Version: >=0 <1.7.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

MarbleRun unauthenticated recovery allows Coordinator impersonation ### Impact During recovery, a Coordinator only verifies that a given recovery key decrypts the sealed state, not if this key was provided by a party with access to one of the recovery keys defined in the manifest. This allows an attacker to manually craft a sealed state using their own recovery keys, and a manifest that does not match the rest of the state. If network traffic is redirected from the legitimate coordinator to the attacker's Coordinator, a remote party is susceptible to impersonation if they verify the Coordinator without comparing the root certificate of the Coordinator against a trusted reference. Under these circumstances, an attacker can trick a remote party into trusting the malicious Coordinator by presenting a manifest that does not match the actual state of the deployment. This issue does **not** affect the following: * secrets and state of the legitimate Coordinator instances * integrity of workloads * certificates chaining back to the legitimate Coordinator root certificate ### Patches The issue has been patched in [`v1.7.0`](https://github.com/edgelesssys/marblerun/releases/tag/v1.7.0). ### Workarounds Connections that purely authenticate based on a known Coordinator's root certificate, e.g. the one retrieved when using the `marblerun manifest set` CLI command, are not affected.

Metadata

Created: 2025-02-04T21:23:48Z
Modified: 2025-02-06T18:04:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-w7wm-2425-7p2h/GHSA-w7wm-2425-7p2h.json
CWE IDs: ["CWE-285"]
Alternative ID: N/A
Finding: F039
Auto approve: 1