CVE-2024-41265

gistfile1.txt

 [Suggested description]
 cortex v0.42.1 is configured to skip TLS certificate verification,
 possibly allowing attackers to execute a man-in-the-middle attack.


In Cortex CLI, the export command, which triggers the makeOperatorRequest 
function within cortexlabs/cortex/cli/cluster/lib_http_client.go, 
establishes TLS connections with InsecureSkipVerify set to true. 
This configuration allows the client to bypass TLS certificate verification,
undermining the security of the TLS connection and exposing the 
application to potential man-in-the-middle (MITM) attacks.

The problematic code snippet is as follows:

client := &http.Client{
    Timeout: timeout,
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    },
}

response, err := client.Do(request)

Potential Impact
Disabling TLS certificate verification in this manner makes the application susceptible to:

 ------------------------------------------

 [Vulnerability Type]
 Missing SSL Certificate Validation

 ------------------------------------------

 [Vendor of Product]
 https://github.com/cortexlabs/cortex https://docs.cortexlabs.com/

 ------------------------------------------
 [Affected Product Code Base]
 cortex - <=0.42.1

 ------------------------------------------

 [Affected Component]
 https://github.com/cortexlabs/cortex https://docs.cortexlabs.com/

 ------------------------------------------

 [Attack Type]
 Remote

 ------------------------------------------

 [Impact Information Disclosure]
 true

 ------------------------------------------

 [Attack Vectors]
 configure the environment
 ------------------------------------------

 [Reference]
 https://github.com/cortexlabs/cortex/issues/2463

 ------------------------------------------

 [Discoverer]
 Yuexi Zhang