CVE-2019-18905: 
Linux openSUSE vulnerability analysis and mitigation

CVE-2019-18905 is an Insufficient Verification of Data Authenticity vulnerability affecting the autoyast2 component in SUSE Linux Enterprise Server 12 and 15. The vulnerability was discovered in 2019 and publicly disclosed on April 3, 2020. The issue affects autoyast2 versions up to 4.1.9-3.9.1 in SLES 12 and versions up to 4.0.70-3.20.1 in SLES 15 (NVD).

The vulnerability stems from the unconditional use of the '--gpg-auto-import-keys' option in zypper commands within the autoyast2 software. This implementation allows for automatic acceptance of any untrusted repository keys encountered by zypper. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) by NIST and 4.8 (Medium) by SUSE, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

When exploited, this vulnerability could allow remote attackers to perform man-in-the-middle (MITM) attacks when deprecated and unused functionality of autoyast is used to create images. This could potentially lead to the acceptance of malicious repository keys and the installation of compromised packages (SUSE Bug).

The vulnerability was addressed in autoyast2 version 4.1.15 by removing all '--gpg-auto-import-keys' options from zypper commands. Users are advised to update to the fixed version. For openSUSE Leap 15.1, the fix is available through the security update openSUSE-SU-2020:0676-1 (OpenSUSE Security).