Impact
The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users have no way to re-enable the verification.
func getAuthToken(ctx context.Context, header http.Header) (string, error) { [skipped]
client := &http.Client{
Timeout: defaultHTTPRequesttimeout,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
[skipped]
}A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems.
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at [email protected].
Impact
The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users have no way to re-enable the verification.
A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems.
Patches
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at [email protected].