During the Spring of 2023, OSTIF, ADA Logics, and The Notary Project collaborated on a security audit of the new Notation libraries. Notation is a CLI project to add signatures as standard items in the registry ecosystem and to build a set of simple tooling for signing and verifying signatures.
Seven issues were found by the audit team and remediated by the Notary Project team. A single high vulnerability identified during the engagement allowed unverified descriptors to be fetched from a remote registry. This was classified as CVE-2023-33959. Such an action could allow a malicious actor to sign or verify an artifact that could fool a user into using a malicious artifact. A solution was devised by using the library to validate descriptors as being provided by the user. Three issues (two medium and one low) were related to signature processing, using endless data attacks to cause resource exhaustion that could lead to denial of service. See CVE-2023-33957 and CVE-2023-33958 for more details. The fix for these scenarios was uncomplicated, and can even be modified by users should it be necessary for their use of the library.
The CVEs linked above were issued for three of the seven findings, and the other four received documentation to track them or CLI command flag name changes. These resolutions are in place in subsequent releases including RC-7 and 1.0.0 of Notary.
The Notary Project team was eager and reactive to solving reported issues, and as a result their development and release processes were tested and improved. Thank you particularly to Feynman Zhou, Junjie Gao, Pritesh Bandi, Patrick Zheng, Samir Kakkar, Shiwei Zhang, Toddy Mladenov, Vani Rao, and Yi Zha for their involvement in this audit. ADA Logics created and imparted wonderful work with this audit and report, and we are thankful to them for their part. Finally, OSTIF would like to offer our gratitude to CNCF for their financial support of work like this and other efforts that improve open source security.
You can read more details about the work done here at ADA Logics’ blog https://adalogics.com/blog/notation-security-audit-2023
For full details on the audit and methodology followed, see the full report here
For further information on Notation, see this link https://github.com/notaryproject/notation