|
| 1 | +```toml |
| 2 | +[advisory] |
| 3 | +id = "HSEC-2023-0015" |
| 4 | +cwe = [672] |
| 5 | +keywords = ["hackage", "mitm", "supply-chain"] |
| 6 | + |
| 7 | +[[affected]] |
| 8 | +package = "cabal-install" |
| 9 | +cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" |
| 10 | +[[affected.versions]] |
| 11 | +introduced = "1.24.0.0" |
| 12 | +fixed = "3.10.2.0" |
| 13 | + |
| 14 | +[[references]] |
| 15 | +type = "REPORT" |
| 16 | +url = "https://github.com/haskell/cabal/issues/8918#issuecomment-1521096581" |
| 17 | +[[references]] |
| 18 | +type = "FIX" |
| 19 | +url = "https://github.com/haskell/cabal/commit/dcfdc9cffd74cade4e8cf3df37c5993413ffd30f" |
| 20 | +``` |
| 21 | + |
| 22 | +# Summary |
| 23 | + |
| 24 | +A problem was recently discovered in `cabal-install`'s |
| 25 | +implementation of the Hackage Security protocol that would allow an |
| 26 | +attacker who was in possession of a revoked private key and who |
| 27 | +could perform a man-in-the-middle attack against Hackage to use the |
| 28 | +revoked key to deliver malicious packages. At this time, this is |
| 29 | +only a theoretical attack - no keys have been revoked. Release |
| 30 | +3.10.2.0 of `cabal-install` contains a fix for this bug, and we have |
| 31 | +contacted distributors of older versions (such as Linux |
| 32 | +distributions) with a patch that they can apply. |
| 33 | + |
| 34 | +# Background |
| 35 | + |
| 36 | +Hackage Security is an implementation of [The Update Framework][], |
| 37 | +which is a design for a package repository that allows untrusted |
| 38 | +mirrors without undermining software supply-chain security. In |
| 39 | +particular, Hackage Security cryptographically guarantees the |
| 40 | +following properties: |
| 41 | + |
| 42 | + * Mirrors of Hackage cannot change the contents of packages. This |
| 43 | + prevents the insertion of malicious code. |
| 44 | + |
| 45 | + * Mirrors cannot omit newer packages for more than a few days |
| 46 | + without clients noticing. This ensures both that mirrors cannot |
| 47 | + maliciously deny security updates, and that mistakes in their |
| 48 | + configuration will be noticed. |
| 49 | + |
| 50 | +Hackage has a [key policy file][] that delegates authority to a |
| 51 | +number of private keys for various purposes. Most of the keys are |
| 52 | +kept securely offline by trusted community members who annually |
| 53 | +re-sign the various files to indicate that they still have |
| 54 | +confidence in Hackage's policies. However, to prevent clients from |
| 55 | +being denied updates, Hackage has an automated process that |
| 56 | +periodically re-signs a timestamp file. This signature has a short |
| 57 | +expiry. Additionally, a snapshot file contains signed hashes of the |
| 58 | +Hackage index that is updated on each package upload. The timestamp |
| 59 | +and snapshot private keys are held in memory on the Hackage server. |
| 60 | +These are called the operational keys. If an operational key is ever |
| 61 | +compromised, then it will be revoked by having the Hackage root |
| 62 | +keyholders sign a new key policy file. To prevent replay attacks, |
| 63 | +clients that connect to Hackage after this update will reject older |
| 64 | +policy files, based on a monotonically increasing file version |
| 65 | +number. |
| 66 | + |
| 67 | +If a client has not yet received the updated policy file (for |
| 68 | +example, because they have a fresh install of `cabal-install` or |
| 69 | +because they have not run `cabal update` in some time), the built-in |
| 70 | +expiration date in the file limits the window of exposure in which |
| 71 | +the revoked operational keys would be expected. As long as the root |
| 72 | +keys have not been compromised, the compromised operational keys can |
| 73 | +only be used until the policy file expires. In addition to |
| 74 | +compromising a Hackage operational key, an attacker would |
| 75 | +additionally need to either compromise a Hackage mirror or perform a |
| 76 | +man-in-the-middle attack against the target in order to serve a |
| 77 | +malicious or obsolete package index. |
| 78 | + |
| 79 | +[key policy file]: https://hackage.haskell.org/root.json |
| 80 | +[The Update Framework]: https://theupdateframework.io/ |
| 81 | + |
| 82 | +# The Issue |
| 83 | + |
| 84 | +A bug in `cabal-install` caused it to skip the verification of the |
| 85 | +key policy file's expiration timestamp. This means that users of |
| 86 | +older, unpatched versions of `cabal-install` could be vulnerable to |
| 87 | +a malicious mirror or man-in-the-middle attack against Hackage if |
| 88 | +they have not connected to Hackage in a long time, even after the |
| 89 | +policy file has expired. |
| 90 | + |
| 91 | +We do not believe that it has been possible to exploit this |
| 92 | +vulnerability, because no operational keys have been revoked. |
| 93 | +However, in case key revocation occurs, we strongly advise all users |
| 94 | +of `cabal-install` to ensure that they have version 3.10.2.0 or |
| 95 | +newer, which contain the fix. |
0 commit comments