ghsa-753p-wrj5-g8fj
Vulnerability from github
Impact
A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.
No concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.
Patches
PQClean does not have a release process, as it is a collection of implementations. If you obtained a HQC implementation from PQClean, please update to a version that includes the fixes proposed in https://github.com/PQClean/PQClean/pull/578.
Please also refer to our security policy.
Workarounds
Manually patching is always possible
Further details
In the 2023/04/30 version of the HQC specification and reference implementation, an extra field (sigma) was added to the secret key structure to enable implicit rejection of malformed ciphertexts. The logic to retrieve the public key from the secret key in the decapsulation function was not updated accordingly. As a result, sigma is treated as part of the public key. Later in the decapsulation call, a incorrectly constructed comparison check allows this error to go through undetected. Due to how these two bugs interfere with each other, the decapsulation function never uses sigma to perform implicit rejection; instead, it accepts malformed ciphertexts and returns shared secrets based on their decryptions.
References
This issue was first reported in OQS https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7. The vulnerability was identified by Célian Glénaz and Dahmun Goudarzi (Quarkslab).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "pqcrypto-hqc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1240",
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-11T21:47:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nA correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.\n\nNo concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.\n\n### Patches\n\nPQClean does not have a release process, as it is a collection of implementations. If you obtained a HQC implementation from PQClean, please update to a version that includes the fixes proposed in https://github.com/PQClean/PQClean/pull/578. \n\nPlease also [refer to our security policy](https://github.com/PQClean/PQClean/blob/master/SECURITY.md).\n\n### Workarounds\n\nManually patching is always possible\n\n### Further details\n\nIn the 2023/04/30 version of the HQC specification and reference implementation, an extra field (sigma) was added to the secret key structure to enable implicit rejection of malformed ciphertexts. The logic to retrieve the public key from the secret key in the decapsulation function was not updated accordingly. As a result, sigma is treated as part of the public key. Later in the decapsulation call, a incorrectly constructed comparison check allows this error to go through undetected. Due to how these two bugs interfere with each other, the decapsulation function never uses sigma to perform implicit rejection; instead, it accepts malformed ciphertexts and returns shared secrets based on their decryptions.\n\n### References\n\nThis issue was first reported in OQS https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7. The vulnerability was identified by C\u00e9lian Gl\u00e9naz and Dahmun Goudarzi (Quarkslab).\n",
"id": "GHSA-753p-wrj5-g8fj",
"modified": "2024-12-11T21:48:32Z",
"published": "2024-12-11T21:47:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PQClean/PQClean/security/advisories/GHSA-753p-wrj5-g8fj"
},
{
"type": "WEB",
"url": "https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7"
},
{
"type": "WEB",
"url": "https://github.com/PQClean/PQClean/pull/578"
},
{
"type": "WEB",
"url": "https://github.com/rustpq/pqcrypto/commit/0c07fa8badbf44f67d3ff1571df31ca54e5228c0"
},
{
"type": "PACKAGE",
"url": "https://github.com/PQClean/PQClean"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "PQClean has a correctness error in HQC decapsulation"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.