CVE-2022-35929 in cosign
Summary
by MITRE • 08/04/2022
cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. This vulnerability can be reproduced with the `distroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2` image. This image has a `vuln` attestation but not an `spdx` attestation. However, if you run `cosign verify-attestation --type=spdx` on this image, it incorrectly succeeds. This issue has been addressed in version 1.10.1 of cosign. Users are advised to upgrade. There are no known workarounds for this issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/30/2022
The vulnerability described in CVE-2022-35929 affects the cosign container signing and verification utility, specifically impacting versions prior to 1.10.1. This issue represents a critical flaw in the verification logic that can lead to false positive security assessments, potentially undermining the integrity of container image verification processes. The flaw manifests when using the `cosign verify-attestation` command with the `--type` flag, creating a scenario where verification appears successful even when the specified attestation type does not actually exist for the target image. This vulnerability directly impacts the security posture of containerized environments that rely on cosign for attestation verification and can compromise the trust model established by software supply chain security practices.
The technical root cause of this vulnerability lies in the improper handling of attestation verification logic within cosign's command processing. When users execute `cosign verify-attestation --type=spdx` on an image that contains attestations of other types but lacks the specific type being verified, the utility incorrectly reports a successful verification instead of properly indicating that the requested attestation type is missing. This behavior occurs regardless of the signing method used, whether standard keypair signing or keyless signing with Fulcio, making the vulnerability particularly concerning for environments that utilize multiple signing approaches. The flaw demonstrates a failure in the validation process that should have been implemented to ensure proper attestation type matching and verification.
The operational impact of this vulnerability extends beyond simple false positive reporting, as it fundamentally undermines the security guarantees that container image verification is designed to provide. Attackers could potentially exploit this weakness to bypass security controls by crafting scenarios where existing attestations of different types appear to validate requests for non-existent attestations. This issue affects the core functionality of software supply chain security by creating a scenario where verification systems report success when they should report failure, potentially allowing malicious actors to pass security checks that should have prevented execution. The vulnerability specifically impacts container image verification workflows where multiple attestation types exist, making it particularly dangerous in environments with complex security policies and multi-layered verification requirements.
This vulnerability aligns with CWE-284 Access Control Issues and represents a failure in proper validation and error handling within the verification process. The flaw demonstrates characteristics consistent with ATT&CK technique T1553.006 Credential Stuffing and T1078 Valid Accounts, as it could enable unauthorized verification bypasses that undermine the trust model of container security systems. The issue affects organizations using cosign for critical security controls including software supply chain integrity verification, container image provenance tracking, and compliance verification processes. Organizations relying on cosign for attestation verification across their containerized environments face potential security gaps that could allow malicious images to pass through verification systems undetected. The vulnerability's impact is particularly severe because it affects both standard keypair signing and keyless signing methods, broadening the scope of affected systems and increasing the likelihood of exploitation in real-world environments.
The fix for CVE-2022-35929 was implemented in cosign version 1.10.1, which corrected the verification logic to properly handle cases where requested attestation types do not exist. Organizations should immediately upgrade to this version or later to remediate the vulnerability. The issue cannot be mitigated through workarounds since it represents a fundamental flaw in the verification algorithm itself. Security teams should conduct comprehensive assessments of their container image verification processes to identify potential exploitation of this vulnerability and implement monitoring for anomalous verification behavior. Given the nature of container security and software supply chain integrity, this vulnerability underscores the critical importance of maintaining up-to-date security tools and verifying that verification systems properly enforce access control and validation requirements. The fix addresses the core validation logic that was failing to distinguish between existing attestations of different types and the absence of specific attestation types, thereby restoring proper verification behavior for all signing methods and attestation types.