editso Fuso Inadequate Encryption Vulnerability in RSA Handshake Function

A vulnerability exists in editso Fuso versions up to 1.0.4-beta.7, specifically within the 'PenetrateRsaAndAesHandshake' function of 'src/net/penetrate/handshake/mod.rs'. The issue arises from the use of a 1024-bit RSA private key, which is considered insecure due to its susceptibility to modern computational attacks. This flaw leads to inadequate encryption strength, allowing for potential remote exploitation, although such an attack would be complex and challenging to execute.

Impact

Exploitation of this vulnerability could result in inadequate encryption, compromising the confidentiality of sensitive data by allowing it to be encrypted with a weak RSA key, which could be broken with sufficient computational resources.

Reproduction

The vulnerability can be reproduced by generating an RSA private key with a size of 1024 bits, using the RSA cryptography library in a Rust environment. This can be done by manipulating the 'priv_key' argument in the 'PenetrateRsaAndAesHandshake' function. The resulting encryption can then be tested for strength, revealing the vulnerability.

Remediation

Users are advised to update to a version of editso Fuso that is not affected by this vulnerability. When using RSA, it is recommended to use a key size of at least 2048 bits, with 3072 bits preferred, and to apply PSS for signatures and OAEP-SHA256 for encryption.