Vulnerability Overview
The vulnerability in stigmem-node's federation peer registration process allowed peer key material to be accepted during registration without a separate administrator approval step based on an out-of-band fingerprint check. This meant that deployments accepting federation peer registration across a network were vulnerable if the initial registration could be intercepted or misdirected.
Impact and Severity
The severity of this vulnerability was rated at 9.1, indicating a critical level of risk. This high severity rating was due to the potential for an attacker to intercept or misdirect the initial registration, potentially leading to unauthorized access or malicious activity.
Patch and Workarounds
The vulnerability has been patched in version 0.9.0a2 of stigmem-node. The patch introduces a pending approval flow, requiring administrators to approve peer tokens using the expected fingerprint before they are accepted. For those unable to upgrade immediately, workarounds include restricting peer registration endpoints to trusted administrative networks and verifying peer public-key fingerprints out of band before allowing federation traffic.
Upgrade and Mitigation
To mitigate this vulnerability, users are advised to upgrade to the patched release. This can be achieved by running the following command:
```bash
pip install --upgrade --pre stigmem-node
```
For developers installing through the Stigmem meta-package, the matching extra for deployments should be used, for example:
```bash
pip install --upgrade --pre 'stigmem[node]'
```
Conclusion
The vulnerability in stigmem-node's federation peer registration process highlights the importance of out-of-band approval and verification in ensuring the security of network deployments. By understanding the nature of this vulnerability and implementing the recommended patches or workarounds, users can protect their deployments from potential exploitation.