Skip to content

MarbleRun unauthenticated recovery allows Coordinator impersonation

High severity GitHub Reviewed Published Feb 4, 2025 in edgelesssys/marblerun

Package

gomod github.com/edgelesssys/marblerun (Go)

Affected versions

< 1.7.0

Patched versions

1.7.0

Description

Impact

During recovery, a Coordinator only verifies that a given recovery key decrypts the sealed state, not if this key was provided by a party with access to one of the recovery keys defined in the manifest.
This allows an attacker to manually craft a sealed state using their own recovery keys, and a manifest that does not match the rest of the state.

If network traffic is redirected from the legitimate coordinator to the attacker's Coordinator, a remote party is susceptible to impersonation if they verify the Coordinator without comparing the root certificate of the Coordinator against a trusted reference.

Under these circumstances, an attacker can trick a remote party into trusting the malicious Coordinator by presenting a manifest that does not match the actual state of the deployment.

This issue does not affect the following:

  • secrets and state of the legitimate Coordinator instances
  • integrity of workloads
  • certificates chaining back to the legitimate Coordinator root certificate

Patches

The issue has been patched in v1.7.0.

Workarounds

Connections that purely authenticate based on a known Coordinator's root certificate, e.g. the one retrieved when using the marblerun manifest set CLI command, are not affected.

References

@daniel-weisse daniel-weisse published to edgelesssys/marblerun Feb 4, 2025
Published to the GitHub Advisory Database Feb 4, 2025
Reviewed Feb 4, 2025

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-w7wm-2425-7p2h

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.