Introduction
The SecurityHive Vulnerability Agent uses an update mechanism called The Update Framework (TUF). This framework ensures that software updates are delivered in a secure and trustworthy way.
TUF works by using cryptographic signing keys to sign update metadata. The agent installed on your systems verifies these signatures before accepting an update. This process ensures that only authentic updates published by SecurityHive are installed.
This security model protects against several attack scenarios, including:
Man-in-the-Middle attacks
Compromised update infrastructure
Malicious software being distributed through update servers
Even if an attacker were to gain control over the update infrastructure, they would not be able to distribute malicious updates without the signing keys.
Because these keys are security-sensitive, they also expire periodically. To maintain the integrity of the update system, they must be rotated from time to time.
What Happened
During the previous key rotation, an internal issue occurred that prevented the newly rotated root key from being stored in our secure vault.
This does not have any security implications. No systems were compromised, and no signing keys were leaked or misused.
However, because the rotated key was not retained, we cannot continue the update chain from that key. As a result, agents that still trust the previous chain cannot automatically transition to the new signing configuration.
This means updates cannot be delivered until the trust chain is refreshed locally on your systems.
Resolution
We have generated a new set of signing keys and rebuilt the trust chain starting from the last root key available to us.
We have also implemented additional safeguards in our internal processes to prevent this situation from occurring again.
To restore normal update functionality, a one-time action is required on systems running the SecurityHive Agent.
You can resolve the issue using one of the following methods.
Option 1 — Delete the Metadata Folder (Recommended)
The agent stores a local copy of the TUF trust chain in the metadata folder.
By removing this folder, the agent will rebuild the trust chain automatically when it starts again.
Steps
Navigate to:
C:\Program Files\SecurityHive Agent\metadata
Delete the
metadatafolder.Restart either:
The SecurityHive Agent service, or
The system
After restarting, the agent will download the updated trust chain and resume normal update operations.
No reinstallation is required.
Option 2 — Reinstall the Agent
You may also resolve the issue by reinstalling the SecurityHive Agent.
Steps
Uninstall the SecurityHive Agent.
Verify the following directory has been removed:
C:\Program Files\SecurityHive Agent
If it still exists, delete it manually.
Install the latest version of the agent.
Use a new enrollment secret, as the previous one may have expired in the meantime.
Important Notes
This issue did not compromise security.
The signing system prevented updates from continuing without a valid trust chain — exactly as designed.
The situation demonstrates the effectiveness of the security protections provided by TUF.
Need Help?
If you have any questions or encounter issues while performing these steps, please contact SecurityHive support.
We sincerely apologize for the inconvenience. We understand that situations like this are unpleasant for our customers and for us as well. We have learned from this incident and improved our processes to prevent similar issues in the future.
Most importantly, the security of the update system remained intact at all times, which confirms the robustness of the architecture protecting your systems.