VDB
EN
LOW 3.7

GHSA-6c87-g9pw-78fx

Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries

상세

# Summary

`Config.registryFor` selected a per-registry credential / CA / mirror block by checking `strings.HasSuffix(name, fqdn)` after stripping a single trailing dot.  The match has no boundary between the configured FQDN and any preceding characters in the request hostname. A registry configured as `[registries."ghcr.io."]` is therefore also applied to any image pulled from a host whose name happens to end in the literal byte sequence `ghcr.io`,  including attacker-registered domains such as `evilghcr.io.`  The imagepuller would then send the configured `Authorization` header (basic auth, registry token, or identity token), trust the configured custom CA bundle, follow the configured mirror, or honour `insecure-skip-verify`, on requests to that hostname.

# Prerequisites

For this to be applicable, an image or layer must be pulled from a "sibling" domain ending in one of the FQDNs configured in the imagepuller config. This may occur due to malicious intent or coincidentally.

# Impact

- Authentication header leaks to the sibling registry. - If `insecure-skip-verify` is set on an FQDN, TLS will also not be verified for the sibling registry. - Mirrors configured for an FQDN will also be used with the sibling registry.

## Not impacted

Image integrity is **not** impacted. Image bytes remain pinned by digest in the policy and are validated after the pull. This advisory does not allow code substitution.

# Workaround

- If possible, configure explicit subdomains in the imagepuller config. A configuration for `[registries.".example.registry"]` is unaffected, only `[registries."example.registry"]` is potentially affected. - Audit images and layers configured in the deployment for the existence of sibling domains.

# Patches

After this patch, registry matches are determined by exact label equality instead of suffix matching. Each `.`-separated part of the FQDN must be an exact match with the corresponding label in the image reference.

# Severity

- `AV:N` because the leak is over the network to a registry under the attacker's control.  - `AC:H` because exploitation requires the operator to have configured a registry FQDN without a leading `.` AND the attacker to control a sibling-suffix domain that the deployment will pull from. - `PR:N` for the eventual recipient.  - `S:U` because impact stays in the imagepuller.  - `C:L` for credential leak (no integrity / availability impact).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Go / github.com/edgelesssys/contrast
최초 영향 버전: 0 수정 버전: 1.21.0
수정 go get github.com/edgelesssys/contrast@v1.21.0

참고