GHSA-vqv5-385r-2hf8: Contrast's unauthenticated recovery allows Coordinator impersonation
(updated )
Recovering coordinators do not verify the seed provided by the recovering party. This allows an attacker to set up a coordinator with a manifest that passes validation, but with a secret seed controlled by the attacker.
If network traffic is redirected from the legitimate coordinator to the attacker’s coordinator, a workload owner is susceptible to impersonation if either
- they
set
a new manifest and don’t compare the root CA cert with the existing one (this is the default of thecontrast
CLI) or - they
verify
the coordinator and don’t compare the root CA cert with a trusted reference.
Under these circumstances, the attacker can:
- Issue certificates that chain back to the attacker coordinator’s root CA.
- Recover arbitrary workload secrets of workloads deployed after the attack.
This issue does not affect the following:
- secrets of the legitimate coordinator (seed, workload secrets, CA)
- integrity of workloads, even when used with the rogue coordinator
- certificates chaining back to the mesh CA
References
Detect and mitigate GHSA-vqv5-385r-2hf8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →