Summary

The OnlyOffice Community Server Docker image downloads a .deb file from archive.ubuntu.com via HTTP. The download is thus vulnerable to Man-in-the-Middle attacks. Furthermore, the .deb file is then installed without signatures being validated. This allows an attacker who either interferes with the download through MitM or compromised an Ubuntu server / mirror to run arbitrary code on servers building this image.

Severity

Low - An attacker with MitM capabilities or an attacker who has compromised an Ubuntu mirror can identify CI/CD builds of this image and supply a backdoored .deb file, resulting in a compromise of the Docker image.

Proof of Concept

The multiarch-support_2.27-3ubuntu1_amd64.deb file is downloaded from archive.ubuntu.com via HTTP and is thus vulnerable to MitM. In addition, the .deb file is then installed without verifying a signature for it:

https://github.com/ONLYOFFICE/Docker-CommunityServer/blob/c03f03df67ebbd3410a7ab0e4a454d111a1d4ade/Dockerfile#L62

wget http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/multiarch-support_2.27-3ubuntu1_amd64.deb && \
apt-get install ./multiarch-support_2.27-3ubuntu1_amd64.deb && \

Running dpkg-sig verifies that this .deb file is not signed:

dpkg-sig --list multiarch-support_2.27-3ubuntu1_amd64.deb
Processing multiarch-support_2.27-3ubuntu1_amd64.deb...

Further Analysis

Use HTTPS to prevent MitM and if possible use a signed version of the multiarch-support package.

Timeline

Date reported: 01/20/2025
Date fixed:
Date disclosed: 04/22/2025