Listen to this Post
How the CVE Works:
The vulnerability lies in the `decrypt_in_place_detached` function of the ASCON cryptographic library. When decrypting ciphertext, the function fails to properly handle tag verification errors. Specifically, even if the authentication tag is incorrect, the decrypted plaintext remains in the buffer. This occurs because the `decrypt_inplace` function in `asconcore.rs` returns an error without clearing the buffer, exposing the decrypted data. This behavior is similar to the previously reported vulnerability GHSA-423w-p2w9-r7vq. Attackers can exploit this flaw to perform chosen ciphertext attacks (CCAs), potentially gaining access to unauthenticated plaintext data.
DailyCVE Form:
Platform: ASCON Cryptographic Library
Version: Pre-patch versions
Vulnerability: Incorrect Tag Verification
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
1. Exploit Code:
use ascon_aead::Tag;
use ascon_aead::{Ascon128, Key, Nonce};
use ascon_aead::aead::{AeadInPlace, KeyInit};
fn main() {
let key = Key::<Ascon128>::from_slice(b"very secret key.");
let cipher = Ascon128::new(key);
let nonce = Nonce::<Ascon128>::from_slice(b"unique nonce 012");
let mut buffer: Vec<u8> = Vec::new();
buffer.extend_from_slice(b"plaintext message");
cipher.encrypt_in_place_detached(nonce, b"", &mut buffer).expect("encryption failure!");
let _ = cipher.decrypt_in_place_detached(nonce, b"", &mut buffer, Tag::<Ascon128>::from_slice(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"));
assert_eq!(&buffer, b"plaintext message");
}
2. Attack Vector:
- Send crafted ciphertext with an invalid tag to the target system.
- Observe the decrypted plaintext in the buffer despite the tag verification failure.
3. Impact:
- Unauthenticated plaintext exposure.
- Potential for CCAs, compromising data integrity and confidentiality.
Protection:
1. Patch:
- Update to the latest version of the ASCON library that addresses this issue.
2. Code Fix:
- Ensure the buffer is cleared or zeroized upon decryption failure.
if let Err(_) = cipher.decrypt_in_place_detached(nonce, b"", &mut buffer, tag) { buffer.zeroize(); // Clear the buffer on error }
3. Mitigation:
- Implement strict error handling to prevent the use of unauthenticated data.
- Use additional integrity checks outside the cryptographic library.
4. References:
5. Commands:
- Check for updates: `cargo update ascon-aead`
- Verify patch installation: `cargo tree | grep ascon-aead`
6. Analytics:
- Monitor logs for repeated decryption failures.
- Use intrusion detection systems to flag suspicious cryptographic operations.
By following these steps, you can mitigate the risk posed by this critical vulnerability.
References:
Reported By: https://github.com/advisories/GHSA-r38m-44fw-h886
Extra Source Hub:
Undercode
Image Source:
Undercode AI DI v2