go-tuf Improper Signature Verification Vulnerability in TUF Metadata Delegations

A vulnerability exists in go-tuf versions 2.0.0 prior to 2.3.1, where a compromised or misconfigured TUF repository can set the signature threshold for delegations to 0. This misconfiguration effectively disables signature verification, allowing unauthorized modifications to TUF metadata files both at rest and in transit, as no integrity checks are performed. The issue has been patched in version 2.3.1.

Impact

The vulnerability allows unauthorized changes to TUF metadata files, with no integrity checks to prevent such modifications.

Reproduction

To reproduce this vulnerability, configure a TUF repository to set the signature threshold for delegations to 0. This can be done by manually adjusting the delegation settings in the TUF metadata roles. Once the threshold is set to 0, the vulnerability can be observed by attempting to verify signatures, which will pass despite the lack of proper validation.

Remediation

Users are advised to upgrade to go-tuf version 2.3.1 or later. As a workaround, ensure that TUF metadata roles are configured with a signature threshold of at least 1.