AWS Tough Library and Tuftool CLI Delegated Metadata Validation Vulnerability

A vulnerability exists in the AWS Tough library and the Tuftool command-line interface, specifically in versions of Tough prior to 0.22.0 and Tuftool prior to 0.15.0. The issue arises from inadequate expiration, hash, and length enforcement during delegated metadata validation. This flaw allows remote authenticated users with delegated signing authority to circumvent integrity checks specified by The Update Framework (TUF) for delegated targets metadata. As a result, these users can poison the local metadata cache. The vulnerability occurs because the 'load_delegations' function fails to apply the same validation checks as the top-level targets metadata path.

Impact

Exploitation of this vulnerability allows for the bypass of TUF specification integrity checks for delegated targets metadata, leading to the poisoning of the local metadata cache.

Reproduction

The vulnerability can be reproduced by using a version of the Tough library prior to 0.22.0 and the Tuftool CLI utility prior to 0.15.0. After creating a TUF repository with delegated targets, the 'load_delegations' function can be called, which will not apply the necessary validation checks, allowing the delegated metadata to bypass integrity checks and poison the local metadata cache.

Remediation

Users are advised to upgrade to Tough version 0.22.0 or later and Tuftool version 0.15.0 or later. Instructions for upgrading are available in the Tough and Tuftool GitHub repositories.