CVE-2024-45395: sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
sigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF’s security model labels this type of vulnerability an “Endless data attack,” and can lead to verification failing to complete and disrupting services that rely on sigstore-go for verification.
The vulnerable loops are in the verification functions in the package github.com/sigstore/sigstore-go/pkg/verify. The first is the DSSE envelope verification loop in verifyEnvelopeWithArtifact, which decodes all the digests in an attestation can be found here:
The next loop is in the VerifyArtifactTransparencyLog function, which verifies all the signed entries in a bundle:
The next loop is the VerifyTimestampAuthority function, which verifies all the RFC 3161 timestamps in a bundle:
References
Detect and mitigate CVE-2024-45395 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →