rustsec-2024-0343
Vulnerability from osv_rustsec
Published
2024-06-03 12:00
Modified
2024-06-15 13:11
Summary
Reduced entropy due to inadequate character set usage
Details

Description

Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the nano_id::base62 and nano_id::base58 functions. Specifically, the base62 function used a character set of 32 symbols instead of the intended 62 symbols, and the base58 function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the nano_id::gen macro is also affected when a custom character set that is not a power of 2 in size is specified.

It should be noted that nano_id::base64 is not affected by this vulnerability.

Impact

This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.

Patches

The flaws were corrected in commit a9022772b2f1ce38929b5b81eccc670ac9d3ab23 by updating the the nano_id::gen macro to use all specified characters correctly.

PoC

use std::collections::BTreeSet;

fn main() {
    test_base58();
    test_base62();
}

fn test_base58() {
    let mut produced_symbols = BTreeSet::new();

    for _ in 0..100_000 {
id = "RUSTSEC-2024-0343"
        for c in id.chars() {
            produced_symbols.insert(c);
        }
    }

    println!(
        "{} symbols generated from nano_id::base58",
        produced_symbols.len()
    );
}

fn test_base62() {
    let mut produced_symbols = BTreeSet::new();

    for _ in 0..100_000 {
id = "RUSTSEC-2024-0343"
        for c in id.chars() {
            produced_symbols.insert(c);
        }
    }

    println!(
        "{} symbols generated from nano_id::base62",
        produced_symbols.len()
    );
}
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "crypto-failure"
        ],
        "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "nano_id::base58",
            "nano_id::base62",
            "nano_id::gen"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "nano-id",
        "purl": "pkg:cargo/nano-id"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-2hfw-w739-p7x5",
    "GHSA-9hc7-6w9r-wj94",
    "CVE-2024-36400"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "## Description\n\nAffected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified.\n\nIt should be noted that `nano_id::base64` is not affected by this vulnerability.\n\n## Impact\n\nThis can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.\n\n## Patches\n\nThe flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly.\n\n## PoC\n\n```rust\nuse std::collections::BTreeSet;\n\nfn main() {\n    test_base58();\n    test_base62();\n}\n\nfn test_base58() {\n    let mut produced_symbols = BTreeSet::new();\n\n    for _ in 0..100_000 {\nid = \"RUSTSEC-2024-0343\"\n        for c in id.chars() {\n            produced_symbols.insert(c);\n        }\n    }\n\n    println!(\n        \"{} symbols generated from nano_id::base58\",\n        produced_symbols.len()\n    );\n}\n\nfn test_base62() {\n    let mut produced_symbols = BTreeSet::new();\n\n    for _ in 0..100_000 {\nid = \"RUSTSEC-2024-0343\"\n        for c in id.chars() {\n            produced_symbols.insert(c);\n        }\n    }\n\n    println!(\n        \"{} symbols generated from nano_id::base62\",\n        produced_symbols.len()\n    );\n}\n```",
  "id": "RUSTSEC-2024-0343",
  "modified": "2024-06-15T13:11:33Z",
  "published": "2024-06-03T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/nano-id"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0343.html"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reduced entropy due to inadequate character set usage"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.