GHSA-fmj7-7gfw-64pg

Suggest an improvement
Source
https://github.com/advisories/GHSA-fmj7-7gfw-64pg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-fmj7-7gfw-64pg/GHSA-fmj7-7gfw-64pg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fmj7-7gfw-64pg
Aliases
Published
2024-10-15T17:33:50Z
Modified
2024-10-15T23:41:01.085916Z
Severity
  • 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator
  • 7.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Agent Dart is missing certificate verification checks
Details

Certificate verification (in lib/agent/certificate.dart) has been found to contain two issues: - During the delegation verification (in checkDelegation function) the canisterranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. You have more details in the IC specification here. Also for reference you can check how is this implemented in the agent-rs. - The certificate’s timestamp, i.e /time path, is not verified, meaning that the certificate effectively has no expiration time. The IC spec doesn’t specify an expiry times, it gives some suggestions, quoting: "A reasonable expiry time for timestamps in R.signatures and the certificate Cert is 5 minutes (analogously to the maximum allowed ingress expiry enforced by the IC mainnet). Delegations require expiry times of at least a week since the IC mainnet refreshes the delegations only after replica upgrades which typically happen once a week". For reference you can check how is this implemented in the agent-rs (here and here).

Additionally, seems replica signed queries aren’t implemented

Database specific
{
    "nvd_published_at": "2024-10-15T17:15:11Z",
    "cwe_ids": [
        "CWE-295",
        "CWE-347"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-15T17:33:50Z"
}
References

Affected packages

Pub / agent_dart

Package

Name
agent_dart
Purl
pkg:pub/agent_dart

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0-dev.29

Affected versions

0.*

0.0.1
0.0.2
0.0.4
0.0.5
0.0.6
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.14+1
0.1.15
0.1.15+1
0.1.15+2
0.1.16
0.1.16+1
0.1.16+2
0.1.17
0.1.17+1
0.1.18
0.1.19
0.1.19+1
0.1.19+2
0.1.19+3
0.1.19+4
0.1.21
0.1.22
0.1.22+1
0.1.23
0.1.23+1
0.1.24
0.1.24+1

1.*

1.0.0-dev.1
1.0.0-dev.2
1.0.0-dev.3
1.0.0-dev.4
1.0.0-dev.5
1.0.0-dev.6
1.0.0-dev.7
1.0.0-dev.8
1.0.0-dev.9
1.0.0-dev.10
1.0.0-dev.11
1.0.0-dev.13
1.0.0-dev.14
1.0.0-dev.15
1.0.0-dev.16
1.0.0-dev.17
1.0.0-dev.18
1.0.0-dev.19
1.0.0-dev.20
1.0.0-dev.21
1.0.0-dev.22
1.0.0-dev.23
1.0.0-dev.24
1.0.0-dev.25
1.0.0-dev.26
1.0.0-dev.27
1.0.0-dev.28

Database specific

{
    "last_known_affected_version_range": "<= 1.0.0-dev.28"
}