Bug 1065397 (CVE-2017-14806)

Summary: VUL-0: CVE-2017-14806: studio: Insecure handling of repodata and packages
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: cbruckmayer, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3:SUSE:CVE-2017-14806:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-10-27 07:33:40 UTC
Due to 
sid/getfile-gem/ext/getfile/getfile.c  :  curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
certificates are not checked. This allows to MITM connections to the repositories.

Once in a MITM position the repodata can be modified since the gpg signature isn't verified. The packages are only checked for their checksum specified in the repo meta data, the gpg signature on the packages is not checked:
    def install_cmds packages
      packages.map do |repo_descriptor, packages|
        repo = (repo_descriptor == "general" ? nil : repo_descriptor)
        cmd = [
          "sudo",
          "zypper",
          "-vvv",
          "-n" ,
          "--no-gpg-checks",
          "install",
          "--auto-agree-with-licenses",
          ("--from" if repo),

this makes it easy to get malicious packages installed. I was able to MITM a connection while building an appliance and get a modified rpm installed without any warning.