CVE-2024-2307 - Vulnerability in osbuild-composer that Disables GPG Verification and Opens up Building Images to Man-in-the-Middle Attacks

The osbuild-composer project is an open-source system for building Linux distributions and images. A security vulnerability has been discovered in osbuild-composer which results in the disabling of GPG verification for package repositories. This can lead to a Man-in-the-Middle (MITM) attack that allows untrusted code to be installed into the image being built. This article will discuss the vulnerability, provide a code snippet to demonstrate the issue, and offer links to original references for your further investigation.

Exploit Details

The security vulnerability in osbuild-composer is identified as CVE-2024-2307. When triggered, this vulnerability disables the GPG verification process for package repositories during the build phase. This can result in an MITM attack, where an attacker can intercept the communication between the package repository and osbuild-composer and inject untrusted code into the image being built.

Code Snippet

Consider the following code snippet describing the issue. This code illustrates how the GPG verification is disabled by the vulnerability:

`
def build_image(input):
if input.config.get("disable_gpg_check", False):
# GPG check is disabled; package repository not verified

repo_url = input.repo_url
gpg_key = None

Timeline

Published on: 03/19/2024 17:15:12 UTC
Last modified on: 04/30/2024 14:15:15 UTC