Login Sign Up

CVE-2015-9259

9.8 CRITICAL

📋 TL;DR

This vulnerability in Docker Notary allows attackers to bypass security controls by using expired root.json files to sign malicious updates, despite the system claiming to check expiry. It affects all users of Docker Notary before version 0.1 who rely on it for secure software distribution.

💻 Affected Systems

Products:
  • Docker Notary
Versions: All versions before 0.1
Operating Systems: All platforms running Docker Notary
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments using Notary for software signing and verification.

📦 What is this software?

Notary by Docker

View all CVEs affecting Notary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can compromise the entire software supply chain by pushing malicious updates that appear legitimate, potentially leading to widespread system compromise.

🟠

Likely Case

Attackers with access to compromised keys can push malicious container images or software updates to unsuspecting users.

🟢

If Mitigated

With proper monitoring and key rotation policies, impact is limited to detection of anomalous signing activity.

🌐 Internet-Facing: HIGH - Notary servers exposed to internet could be targeted to distribute malicious updates to all clients.
🏢 Internal Only: MEDIUM - Internal attackers with access to compromised keys could distribute malicious updates within the organization.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires access to compromised signing keys but the actual bypass is straightforward once keys are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1 and later

Vendor Advisory: https://docs.docker.com/notary/changelog/

Restart Required: Yes

Instructions:

1. Stop all Notary services. 2. Update to Notary version 0.1 or later. 3. Restart Notary services. 4. Rotate all signing keys as precaution.

🔧 Temporary Workarounds

Manual root.json expiry checking

all

Implement custom validation to check root.json expiry dates before accepting updates

# Custom script to validate root.json expiry
# Check timestamp in root.json against current time

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Notary servers from untrusted networks
  • Enable comprehensive logging and monitoring of all Notary signing activities for anomalies

🔍 How to Verify

Check if Vulnerable:

Check Notary version: if version is below 0.1, system is vulnerable

Check Version:

notary version

Verify Fix Applied:

Verify Notary version is 0.1 or higher and test that expired root.json files are rejected

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed signature validations
  • Use of old root.json files after key rotation
  • Unexpected signing activity from unusual sources

Network Indicators:

  • Unusual patterns of update downloads
  • Connections to Notary servers from unexpected IPs

SIEM Query:

source="notary" AND (event="signature_validation_failed" OR event="old_root_used")

📊 Metadata

CVE ID: CVE-2015-9259
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: March 31, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9259, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)