Skip to content

Missing certificate verification checks

High
AlexV525 published GHSA-fmj7-7gfw-64pg Oct 15, 2024

Package

agent_dart (Dart)

Affected versions

<= 1.0.0-dev.28

Patched versions

1.0.0-dev.29

Description

Hi,

My name is Eduard, I work in Dfinity's product security team. During an internal review I checked agent_dart and I think I’ve found some issues. Full disclosure: I haven’t done a full review and I may be missing some context, so some of these issues may be false positives, but I wanted to report them to you just in case:

  • Certificate verification (in lib/agent/certificate.dart), there’re two issues:
    • During the delegation verification (in _checkDelegation function) the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. You have more details in the IC specification here. Also for reference you can check how is this implemented in the agent-rs.
    • The certificate’s timestamp, i.e /time path, is not verified, meaning that the certificate effectively has no expiration time. The IC spec doesn’t specify an expiry times, it gives some suggestions, quoting: "A reasonable expiry time for timestamps in R.signatures and the certificate Cert is 5 minutes (analogously to the maximum allowed ingress expiry enforced by the IC mainnet). Delegations require expiry times of at least a week since the IC mainnet refreshes the delegations only after replica upgrades which typically happen once a week". For reference you can check how is this implemented in the agent-rs (here and here).

Additionally, seems replica signed queries aren’t implemented, if you’re already aware and it’s in your roadmap just ignore this.

if you have any questions, let me know and I’ll be happy to help!

Cheers!

Severity

High

CVE ID

CVE-2024-48915

Weaknesses

No CWEs

Credits