RUSTSEC-2023-0053

rustls-webpki: CPU denial of service in certificate path building

Reported

August 22, 2023

Issued

August 22, 2023 (last modified: August 27, 2023)

Package

rustls-webpki (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#certificate #path-building #x509

Aliases

GHSA-fh2r-99q2-6mmg

Related

CVE-2018-16875

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

>=0.100.2, <0.101.0
>=0.101.4

Description

When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

We now give each path building operation a budget of 100 signature verifications.

The original webpki crate is also affected.

This was previously reported in the original crate https://github.com/briansmith/webpki/issues/69 and re-reported to us recently by Luke Malinowski.

Advisory available under CC0-1.0 license.