Dragonfly has weak integrity checks for downloaded files

Vulnerability

Description

Dragonfly, an open-source P2P file distribution and image acceleration system, prior to version 2.1.0 relied on a variety of hash functions for integrity verification of downloaded files, including the MD5 hash algorithm [1][3]. MD5 is well-known to lack collision resistance, meaning an attacker can craft two different inputs that produce the same hash output [3]. This weakness undermines the integrity guarantees of the system.

Exploitation

Scenario

An attacker (peer Alice) can create an innocent image and a malicious one, both designed so their respective MD5 piece hashes collide. The metadata (PieceMd5Sign) for both images becomes identical. Alice shares the innocent image with other peers, who validate it as correct. When Bob requests the image, Alice supplies the malicious version instead; Bob's integrity check uses the colliding MD5 hashes, and the seemingly valid SHA256 hash of the piece digests is accepted [3]. The attacker does not need special privileges beyond being a peer in the network.

Impact

A successful attacker can replace a legitimate file with a malicious one while all integrity checks pass. This allows the distribution of tampered container images, binaries, or other data across the P2P network, potentially leading to arbitrary code execution or other compromise on systems that consume the altered files [1][3].

Mitigation

The vulnerability is fixed in Dragonfly version 2.1.0 [1][3]. Users should upgrade to this version or later. No effective workarounds exist [3]. The issue was identified during a third-party security audit by Trail of Bits [3][4].