Cesanta Mongoose ChaCha20-Poly1305 Authentication Bypass Vulnerability

A vulnerability exists in Cesanta Mongoose versions up to 7.20 within the ChaCha20-Poly1305 decryption function. This vulnerability arises because the function fails to verify the Poly1305 authentication tag during decryption, allowing for improper verification of cryptographic signatures. As a result, an attacker could remotely exploit this flaw, modifying encrypted data in transit with byte-level precision. This issue renders TLS connections using Mongoose's built-in TLS implementation completely unauthenticated.

Impact

The vulnerability allows for bit-flipping attacks on any TLS record, enabling an attacker to modify encrypted data in transit without detection. This could lead to unauthorized changes in application data, such as HTTP headers or JSON fields, and could be exploited to hijack sessions or inject malicious commands into IoT devices.

Reproduction

The vulnerability can be reproduced by encrypting a message using the ChaCha20-Poly1305 encryption function, which correctly generates the authentication tag. After encryption, specific bits in the ciphertext can be flipped to change the plaintext when decrypted. This tampered ciphertext can then be decrypted using the vulnerable decryption function, which accepts the modified data without any error, despite the corruption of the authentication tag.