- Reported
-
- Issued
-
- Package
-
hpke-rs
(crates.io)
- Type
-
Vulnerability
- Aliases
-
- References
-
- CVSS Score
- 9.3
CRITICAL
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- None
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- None
- Confidentiality Impact to the Vulnerable System
- High
- Integrity Impact to the Vulnerable System
- High
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
- Patched
-
- Affected Functions
- Version
hpke_rs::Context::open-
hpke_rs::Context::seal-
Description
The sequence number that is used to compute the AEAD nonce when using
a re-usable HPKE context is incremented after each seal or open
operation. This sequence number was stored as a u32 and used regular
addition on u32 for the increment, meaning in release mode it would
silently wrap around to 0 after 2^32 seal or open operations.
Impact
Nonce reuse causes catastrophic breakage of AEAD ciphers, enabling
plaintext recovery attacks and authentication tag forgeries, depending
on the concrete AEAD.
This bug impacts applications that use hpke-rs to encrypt a large
number of messages using the same context. Applications using the
one-shot APIs are unaffected.
Mitigation
Starting with version 0.6.0, checked_add is used to increment the
sequence number, which avoids a silent wraparound in release
mode. Additionally, the sequence number is now stored as a u64,
increasing the maximally allowed number of seal and open operations on
a given HPKE context.
Advisory available under CC0-1.0
license.