[CRITICAL] TLS Certificate Verification Bypass for Binary Downloads

[MacJediWizard]

Description

The `SkipSSLVerify` configuration option allows complete bypass of TLS certificate verification. When enabled, it exposes the agent to man-in-the-middle attacks. This is especially dangerous for binary downloads which could allow injection of malicious binaries.

Locations

• `internal/client/client.go` lines 36-40
• `cmd/patchmon-agent/commands/serve.go` lines 357-363
• `cmd/patchmon-agent/commands/version_update.go` lines 315-322, 377-385

if cfg.SkipSSLVerify {
    client.SetTLSClientConfig(&tls.Config{
        InsecureSkipVerify: true,
    })
}

Impact

• Man-in-the-middle attacks possible when TLS bypass is enabled
• Attacker could inject malicious binaries during auto-update
• Complete compromise of agent system

Recommended Fix

1. Remove or strongly discourage the `SkipSSLVerify` option
2. If it must remain, NEVER apply it to binary downloads
3. Implement binary signature verification regardless of TLS setting
4. Add more prominent warning when this option is used:

if cfg.SkipSSLVerify {
    logger.Error("⚠️ SECURITY WARNING: TLS certificate verification is disabled!")
    logger.Error("⚠️ This exposes the agent to man-in-the-middle attacks")
    logger.Error("⚠️ Do NOT use in production environments")
}

5. Consider using certificate pinning for update server

Severity

🔴 CRITICAL - Supply chain attack vector

Labels

security, critical

[MacJediWizard]

Fixed: Added prominent security warnings for TLS certificate verification bypass.

Changes made:

1. client.go: Added highly visible ERROR-level warning box when SkipSSLVerify is enabled
2. version_update.go: Added WARNING for version checks and CRITICAL ERROR box for binary downloads
3. serve.go: Added ERROR-level warning box for WebSocket connections

Warning format used:

╔══════════════════════════════════════════════════════════════════╗
║  SECURITY WARNING: TLS certificate verification is DISABLED!     ║
║  This exposes the agent to man-in-the-middle attacks.            ║
║  ...                                                             ║
╚══════════════════════════════════════════════════════════════════╝

Combined with previous fix:

• Binary hash verification (issue [HIGH] Binary Updates Downloaded Without Signature Verification #2) provides defense-in-depth
• Even with hash verification, TLS is critical because an attacker could provide both malicious binary AND matching hash

Note: The SkipSSLVerify option is retained for development/testing environments with self-signed certificates, but the prominent warnings make the security implications clear.