Parsec Weak Curve25519 Point Validation Vulnerability in Diffie-Hellman Exchange

A vulnerability exists in Parsec versions 3.x prior to 3.6.0, specifically in the web application when using the RustCrypto backend. The issue arises because the `libparsec_crypto` component fails to validate Curve25519 public points for weak order. This oversight allows an attacker in a man-in-the-middle position to introduce weak order points during the Diffie-Hellman key exchange, increasing the likelihood that both parties will derive the same shared key. Consequently, this could lead to a successful SAS code exchange, creating a false sense of security by masking the MITM attack.

Impact

Exploitation of this vulnerability could result in a man-in-the-middle attack, where an attacker can intercept and manipulate communications between two parties without detection, potentially leading to unauthorized access to sensitive information or resources.

Reproduction

The vulnerability can be reproduced by initiating a Diffie-Hellman key exchange in the Parsec web application version 3.x prior to 3.6.0, while the RustCrypto backend is active. An attacker can then intercept the exchange and introduce weak order points, causing both parties to derive the same shared key.

Remediation

Users can upgrade to Parsec version 3.6.0 or later, where this vulnerability has been patched.