RustCrypto AES-GCM Library Plaintext Exposure Vulnerability in Tag Verification
Vulnerability
A vulnerability exists in the RustCrypto AES-GCM implementation, specifically in versions through 0.4.2. The issue arises in the 'decrypt_in_place_detached' function, where decrypted ciphertext is exposed even when the authentication tag is incorrect. This occurs because the tag verification process returns an error while leaving the plaintext intact in the buffer, creating a potential for chosen ciphertext attacks.
Impact
This vulnerability could lead to unauthenticated decryption results, allowing for some forms of chosen ciphertext attacks.
Reproduction
To reproduce this vulnerability, use the Ascon128 cipher from the 'ascon_aead' crate. Encrypt a message using the 'encrypt_in_place_detached' method, which replaces the plaintext with ciphertext. Then, attempt to decrypt the ciphertext in place using an incorrect tag with the 'decrypt_in_place_detached' method. After the decryption attempt, the buffer will still contain the original plaintext, demonstrating the vulnerability.
Remediation
Users can upgrade to version 0.4.3 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.