ghsa-r38m-44fw-h886
Vulnerability from github
Published
2025-03-03 20:22
Modified
2025-03-03 20:22
Severity ?
5.7 (Medium) - CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
Details

Summary

In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect.

Details

This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The root cause of this vulnerability is similar to https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq

PoC

```rust use ascon_aead::Tag; use ascon_aead::{Ascon128, Key, Nonce}; use ascon_aead::aead::{AeadInPlace, KeyInit};

fn main() {

let key = Key::<Ascon128>::from_slice(b"very secret key.");
let cipher = Ascon128::new(key);

let nonce = Nonce::<Ascon128>::from_slice(b"unique nonce 012"); // 128-bits; unique per message

let mut buffer: Vec<u8> = Vec::new(); // Buffer needs 16-bytes overhead for authentication tag
buffer.extend_from_slice(b"plaintext message");

// Encrypt `buffer` in-place detached, replacing the plaintext contents with ciphertext
cipher.encrypt_in_place_detached(nonce, b"", &mut buffer).expect("encryption failure!");

// Decrypt `buffer` in-place with the wrong tag, ignoring the decryption error
let _ = cipher.decrypt_in_place_detached(nonce, b"", &mut buffer, Tag::<Ascon128>::from_slice(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"));

assert_eq!(&buffer, b"plaintext message");

} ```

Impact

If a program continues to use the result of decrypt_in_place_detached after a decryption failure, the result will be unauthenticated. This may permit some forms of chosen ciphertext attacks (CCAs).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.2"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "ascon_aead"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T20:22:19Z",
    "nvd_published_at": "2025-03-03T17:15:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn `decrypt_in_place_detached`, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect.\n\n### Details\nThis is because in [decrypt_inplace](https://github.com/RustCrypto/AEADs/blob/8cda109f1128c4c7953a0bb0f53e1056d537e462/ascon-aead/src/asconcore.rs#L350-L364) in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in `buffer`. The root cause of this vulnerability is similar to https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq\n\n### PoC\n```rust\nuse ascon_aead::Tag;\nuse ascon_aead::{Ascon128, Key, Nonce};\nuse ascon_aead::aead::{AeadInPlace, KeyInit};\n\nfn main() {\n\n    let key = Key::\u003cAscon128\u003e::from_slice(b\"very secret key.\");\n    let cipher = Ascon128::new(key);\n\n    let nonce = Nonce::\u003cAscon128\u003e::from_slice(b\"unique nonce 012\"); // 128-bits; unique per message\n\n    let mut buffer: Vec\u003cu8\u003e = Vec::new(); // Buffer needs 16-bytes overhead for authentication tag\n    buffer.extend_from_slice(b\"plaintext message\");\n\n    // Encrypt `buffer` in-place detached, replacing the plaintext contents with ciphertext\n    cipher.encrypt_in_place_detached(nonce, b\"\", \u0026mut buffer).expect(\"encryption failure!\");\n    \n    // Decrypt `buffer` in-place with the wrong tag, ignoring the decryption error\n    let _ = cipher.decrypt_in_place_detached(nonce, b\"\", \u0026mut buffer, Tag::\u003cAscon128\u003e::from_slice(b\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"));\n\n    assert_eq!(\u0026buffer, b\"plaintext message\");\n}\n```\n### Impact\nIf a program continues to use the result of `decrypt_in_place_detached` after a decryption failure, the result will be unauthenticated. This may permit some forms of chosen ciphertext attacks (CCAs).",
  "id": "GHSA-r38m-44fw-h886",
  "modified": "2025-03-03T20:22:19Z",
  "published": "2025-03-03T20:22:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27498"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RustCrypto/AEADs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.