Apko APK Package Verification Vulnerability Allows Arbitrary Package Installation

A vulnerability in Apko versions prior to 1.2.7 allows for the installation of arbitrary packages into OCI container images. While Apko verifies the signature of the APKINDEX.tar.gz file, it fails to compare the checksums of individually downloaded .apk packages against those recorded in the signed index. This oversight enables an attacker to exploit compromised mirrors, HTTP repositories, or poisoned CDN caches to substitute package contents without detection. The issue has been patched in version 1.2.7.

Impact

Exploitation of this vulnerability could lead to the installation of malicious or unauthorized packages in container images, potentially causing harm when those images are deployed.

Reproduction

To reproduce this vulnerability, use Apko versions prior to 1.2.7 to build an OCI container image from APK packages. During the process, the application will download .apk files from a repository. If these packages are served by a compromised mirror or through an HTTP repository that has been poisoned, the downloaded packages can be manipulated to include arbitrary content. Apko will accept these tampered packages without any verification, as the checksum mismatch will go undetected.

Remediation

Users can upgrade to Apko version 1.2.7 or later, where this vulnerability has been fixed.