**security-research** Public
# OnlyOffice: Docker Man-in-the-middle attack (MitM)
## Package
## Affected versions
## Patched versions
## Description
### Summary
The OnlyOffice Community Server Docker image downloads a `.deb` file from archive.ubuntu.com via HTTP. The download is thus vulnerable to Man-in-the-Middle attacks. Furthermore, the `.deb` file is then installed without signatures being validated. This allows an attacker who either interferes with the download through MitM or compromised an Ubuntu server / mirror to run arbitrary code on servers building this image.
### Severity
Low – An attacker with MitM capabilities or an attacker who has compromised an Ubuntu mirror can identify CI/CD builds of this image and supply a backdoored `.deb` file, resulting in a compromise of the Docker image.
### Proof of Concept
The multiarch-support_2.27-3ubuntu1_amd64.deb file is downloaded from archive.ubuntu.com via HTTP and is thus vulnerable to MitM. In addition, the .deb file is then installed without verifying a signature for it:
https://github.com/ONLYOFFICE/Docker-CommunityServer/blob/c03f03df67ebbd3410a7ab0e4a454d111a1d4ade/Dockerfile#L62
“`
wget http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/multiarch-support_2.27-3ubuntu1_amd64.deb && apt-get install ./multiarch-support_2.27-3ubuntu1_amd64.deb &&
“`
Running `dpkg-sig` verifies that this `.deb` file is not signed:
“`
dpkg-sig –list multiarch-support_2.27-3ubuntu1_amd64.deb Processing multiarch-support_2.27-3ubuntu1_amd64.deb…
“`
### Further Analysis
Use HTTPS to prevent MitM and if possible use a signed version of the multiarch-support package.
### Timeline
**Date reported**: 01/20/2025
**Date fixed**:
**Date disclosed**: 04/22/2025