logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-27498 ascon_aead

Package

Manager: cargo
Name: ascon_aead
Vulnerable Version: >=0 <0.4.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00014 pctl0.01652

Details

AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure ### Summary In `decrypt_in_place_detached`, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. ### Details This is because in [decrypt_inplace](https://github.com/RustCrypto/AEADs/blob/8cda109f1128c4c7953a0bb0f53e1056d537e462/ascon-aead/src/asconcore.rs#L350-L364) in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in `buffer`. The root cause of this vulnerability is similar to https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq ### PoC ```rust use ascon_aead::Tag; use ascon_aead::{Ascon128, Key, Nonce}; use ascon_aead::aead::{AeadInPlace, KeyInit}; fn main() { let key = Key::<Ascon128>::from_slice(b"very secret key."); let cipher = Ascon128::new(key); let nonce = Nonce::<Ascon128>::from_slice(b"unique nonce 012"); // 128-bits; unique per message let mut buffer: Vec<u8> = Vec::new(); // Buffer needs 16-bytes overhead for authentication tag buffer.extend_from_slice(b"plaintext message"); // Encrypt `buffer` in-place detached, replacing the plaintext contents with ciphertext cipher.encrypt_in_place_detached(nonce, b"", &mut buffer).expect("encryption failure!"); // Decrypt `buffer` in-place with the wrong tag, ignoring the decryption error let _ = cipher.decrypt_in_place_detached(nonce, b"", &mut buffer, Tag::<Ascon128>::from_slice(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")); assert_eq!(&buffer, b"plaintext message"); } ``` ### Impact If a program continues to use the result of `decrypt_in_place_detached` after a decryption failure, the result will be unauthenticated. This may permit some forms of chosen ciphertext attacks (CCAs).

Metadata

Created: 2025-03-03T20:22:19Z
Modified: 2025-03-03T20:22:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-r38m-44fw-h886/GHSA-r38m-44fw-h886.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-r38m-44fw-h886
Finding: F204
Auto approve: 1