Bug 1932079 (CVE-2021-3445) - CVE-2021-3445 libdnf: Signature verification bypass via signature placed in the main RPM header
Summary: CVE-2021-3445 libdnf: Signature verification bypass via signature placed in t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1932089 1932090 1940116
Blocks: 1912449 1939506
TreeView+ depends on / blocked
 
Reported: 2021-02-23 20:53 UTC by Todd Cullum
Modified: 2023-09-15 01:01 UTC (History)
13 users (show)

Fixed In Version: libdnf 0.60.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libdnf's signature verification functionality. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-11-02 23:09:39 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4464 0 None None None 2021-11-09 18:53:17 UTC

Description Todd Cullum 2021-02-23 20:53:18 UTC
libdnf does its own signature verification, but this can be
tricked by placing a signature in the main header. This is exploitable if
(and only if) RPM's package verification level is set to "digest" or "none".

Comment 1 Todd Cullum 2021-02-23 20:53:20 UTC
Acknowledgments:

Name: Demi M. Obenour

Comment 10 Todd Cullum 2021-03-04 19:52:59 UTC
Mitigation:

A mitigation for this flaw is to set %_pkgverify_level all` or `%_pkgverify_level signature` in `/etc/rpm/macros`.

Comment 15 RaTasha Tillery-Smith 2021-03-16 17:18:36 UTC
Statement:

The exploitation of this flaw requires RPM's package verification level to be set to "digest" or "none". In addition, to exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM.  It is strongly recommended to only use RPMs from trusted repositories.

Comment 16 Todd Cullum 2021-03-17 15:53:56 UTC
Created libdnf tracking bugs for this issue:

Affects: fedora-all [bug 1940116]

Comment 19 errata-xmlrpc 2021-11-09 18:53:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4464 https://access.redhat.com/errata/RHSA-2021:4464

Comment 20 Red Hat Bugzilla 2023-09-15 01:01:59 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days


Note You need to log in before you can comment on or make changes to this bug.