oss-sec mailing list archives
Third Party Code Signing Vulnerability in Squirrel & Sparkle
From: Lets Secure <is3curi5 () gmail com>
Date: Wed, 13 Jun 2018 21:05:36 +0530
Based on the recent disclosure at https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/ The Squirrel <https://github.com/Squirrel/Squirrel.Mac/blob/e9e2188cda3efb4bc08b1719bdef71880f9dc9b1/Squirrel/SQRLCodeSignature.m#L127> & Sparkle <https://github.com/sparkle-project/Sparkle/blob/d19c98a8771e6a38766199bb96654de5d8c3efb2/Sparkle/SUCodeSigningVerifier.m#L98> framework also doesn't perform strict validation to check nested architecture and revocations & validity of the signer cert and can essentially result in bypassing the code sign validations. *Squirrel* SQRLCodeSignature.m#L127 result = SecStaticCodeCheckValidityWithErrors(staticCode, kSecCSCheckAllArchitectures, (__bridge SecRequirementRef)self.requirement, &validityError); SecStaticCodeCheckValidityWithErros is called without flags - kSecCSDefaultFlags | kSecCSCheckNestedCode | kSecCSCheckAllArchitectures | kSecCSEnforceRevocationChecks Also, it lacks checks for chain of trust across nested binaries in Fat file. i.e. missing this code: SecRequirementCreateWithString(CFSTR("anchor apple"), kSecCSDefaultFlags, &requirementRef); *Sparkle* SUCodeSigningVerifier.m#L98 SecCSFlags flags = (SecCSFlags) (kSecCSDefaultFlags | kSecCSCheckAllArchitectures); result = SecStaticCodeCheckValidityWithErrors(staticCode, flags, NULL, &cfError); The flags should have been set with: SecCSFlags flags = (SecCSFlags) (kSecCSDefaultFlags | kSecCSCheckNestedCode | kSecCSCheckAllArchitectures | kSecCSEnforceRevocationChecks) But, that's not the case with Sparkle. Best Regards!
Current thread:
- Third Party Code Signing Vulnerability in Squirrel & Sparkle Lets Secure (Jun 13)