Security Vulnerability: TLS Verification Disabled by Default
Vulnerability Summary
CWE: CWE-295 - Improper Certificate Validation
CVSS Score: 8.2 (High)
Impact: Complete loss of transport layer security
Status: Confirmed via code analysis and live demonstration
Technical Details
Vulnerability Description
Clairctl has TLS certificate verification disabled by default via the auth.insecureSkipVerify configuration parameter. This allows man-in-the-middle attacks and compromises the entire security pipeline.
Affected Code Locations
- Default Configuration (
config/config.go:115-116):
if viper.Get("auth.insecureSkipVerify") == nil {
viper.Set("auth.insecureSkipVerify", "true") // SECURITY DISABLED
}
- Vulnerable HTTP Clients:
clair/push.go:99 - Clair API clientserver/server.go:89,116 - Registry clientsdocker/dockerdist/dockerdist.go:108,137 - Docker registry client
Proof of Concept
1. Default Behavior Analysis
# Check default configuration
grep -A 2 -B 2 'viper.Set("auth.insecureSkipVerify", "true")' config/config.go
# Find all uses of insecure configuration
grep -r "TLSClientConfig.*InsecureSkipVerify.*viper.GetBool" . --include="*.go"2. Live MITM Demonstration
# Malicious server with self-signed certificate
import http.server, ssl, socketserver
class MaliciousHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
print(f"MITM: Intercepted {self.path}")
self.send_response(200)
self.end_headers()
self.wfile.write(b'{"health": "MALICIOUS SERVER"}')
# Start server with invalid certificate
httpd = socketserver.TCPServer(("", 8443), MaliciousHandler)
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain('self-signed.crt', 'self-signed.key')
httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
httpd.serve_forever()Result: With auth.insecureSkipVerify: true, clairctl accepts connections to this malicious server.
Security Impact
Risks Enabled:
- Man-in-the-Middle Attacks: Interception of all HTTPS communications
- Data Theft: Container layers, authentication tokens, sensitive metadata
- False Reports: Injection of malicious vulnerability findings
- Supply Chain Compromise: Manipulation of security analysis results
Security Principles Violated:
- ✅ Secure-by-Default: TLS verification should be enabled by default
- ✅ Defense-in-Depth: Single configuration disables entire security layer
- ✅ Least Privilege: Global setting affects all HTTPS connections
- ✅ Clear Communication: No warnings when security disabled
Reproduction Steps
- Fresh installation of clairctl
- Check default config:
auth.insecureSkipVerify is true
- Attempt to connect to any HTTPS endpoint with invalid certificate
- Observe connection is accepted (should be rejected)
Affected Versions
All versions using the current default configuration mechanism.
Recommended Fix
Immediate Mitigation
# Manual workaround for users
auth:
insecureSkipVerify: false # Manually enable security
Permanent Solution
// config/config.go - Change to secure default
if viper.Get("auth.insecureSkipVerify") == nil {
viper.Set("auth.insecureSkipVerify", "false") // ✅ SECURITY ENABLED
}
// Add security warnings
if viper.GetBool("auth.insecureSkipVerify") {
log.Warn(" SECURITY: TLS verification disabled - MITM attacks possible")
log.Warn(" This setting should only be used in trusted, isolated environments")
}Additional Recommendations
- Scope Security Settings: Consider separate settings for different components
- Documentation: Clearly explain security implications in config documentation
- Deprecation Path: Consider removing global TLS bypass option entirely
- Audit Trail: Log when insecure settings are used
Research Context
This finding is part of systematic research into security tools that provide dangerous "disable security" switches. Similar vulnerabilities have been found in:
- GitGuardian GGShield (
--allow-self-signed flag)
- Terrascan (
HARBOR_SKIP_TLS environment variable)
- Clairctl (this report)
Security Vulnerability: TLS Verification Disabled by Default
Vulnerability Summary
CWE: CWE-295 - Improper Certificate Validation
CVSS Score: 8.2 (High)
Impact: Complete loss of transport layer security
Status: Confirmed via code analysis and live demonstration
Technical Details
Vulnerability Description
Clairctl has TLS certificate verification disabled by default via the
auth.insecureSkipVerifyconfiguration parameter. This allows man-in-the-middle attacks and compromises the entire security pipeline.Affected Code Locations
config/config.go:115-116):clair/push.go:99- Clair API clientserver/server.go:89,116- Registry clientsdocker/dockerdist/dockerdist.go:108,137- Docker registry clientProof of Concept
1. Default Behavior Analysis
2. Live MITM Demonstration
Result: With
auth.insecureSkipVerify: true, clairctl accepts connections to this malicious server.Security Impact
Risks Enabled:
Security Principles Violated:
Reproduction Steps
auth.insecureSkipVerifyistrueAffected Versions
All versions using the current default configuration mechanism.
Recommended Fix
Immediate Mitigation
Permanent Solution
Additional Recommendations
Research Context
This finding is part of systematic research into security tools that provide dangerous "disable security" switches. Similar vulnerabilities have been found in:
--allow-self-signedflag)HARBOR_SKIP_TLSenvironment variable)