Notary Project notation-go Certificate Revocation Check Vulnerability in Timestamping

A vulnerability exists in the Notary Project's notation-go library, specifically in versions 1.2.0-beta.1 through 1.3.0-rc.1. During the generation of timestamp signatures, the library failed to verify the revocation status of the certificates used. This oversight could allow an attacker to exploit the vulnerability through a Man-in-the-Middle attack, using a compromised or revoked certificate to create a malicious countersignature. Such a countersignature would be accepted and stored by the notation-go library, potentially leading to denial-of-service scenarios in CI/CD environments where signature verification is disrupted by the presence of revoked certificates.

Impact

Exploitation of this vulnerability could cause denial-of-service conditions, particularly in CI/CD environments, by disrupting the signature verification process. This disruption arises because the verification would fail due to the presence of revoked certificates, potentially causing operational delays or issues.

Reproduction

The vulnerability can be reproduced by generating a timestamp signature with a revoked or compromised certificate. This can be done by configuring the timestamping options to include a certificate that has been revoked or is otherwise invalid, and then observing the signature verification process, which should fail due to the revoked certificate.

Remediation

Users are advised to upgrade to version 1.3.0-rc.2, where this vulnerability has been addressed. Instructions for upgrading can be found in the project's GitHub repository.