GHSA-vqv5-385r-2hf8: 
vulnerability analysis and mitigation

The vulnerability (GHSA-vqv5-385r-2hf8) affects Contrast's coordinator recovery mechanism, discovered and disclosed on February 5, 2025. This high-severity vulnerability impacts github.com/edgelesssys/contrast versions 1.4.0 and below, with a CVSS score of 7.1. The issue stems from coordinators not verifying the seed provided during recovery operations, potentially allowing unauthorized coordinator impersonation (GitHub Advisory).

The vulnerability is classified as CWE-285 and has a CVSS v3.1 base score of 7.1 (High). The attack vector is Network-based with low complexity, requiring no privileges but necessitating user interaction. The CVSS metrics indicate unchanged scope, low confidentiality impact, high integrity impact, and no availability impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) (GitHub Advisory).

The vulnerability allows an attacker to establish a coordinator with a validated manifest while controlling the secret seed. When network traffic is redirected to the attacker's coordinator, they can issue certificates chaining back to the attacker coordinator's root CA and recover arbitrary workload secrets deployed after the attack. However, the vulnerability does not compromise existing coordinator secrets, workload integrity, or certificates chaining back to the mesh CA (GitHub Advisory).

The vulnerability has been patched in Contrast v1.4.1. As a workaround, users can verify the coordinator root CA cert against expectations by keeping a copy of the CA cert returned by the coordinator during the first set call. After subsequent set or verify calls, users should compare the returned CA cert with the backup copy - a bit-by-bit match confirms the coordinator's legitimacy (GitHub Advisory).