#VU71491 Improper Verification of Cryptographic Signature in Cargo and Rust Programming Language - CVE-2022-46176

Cybersecurity Help s.r.o.

Published: 2023-01-24

Vulnerability identifier: #VU71491

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-46176

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cargo
Rust Programming Language
Universal components / Libraries / Programming Languages & Components

Vendor: The Rust Programming Language
Rust Team

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to Cargo does not perform SSH host key verification when cloning indexes and dependencies via SSH. A remote attacker can perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cargo: 0.0.1-pre - 0.67.0

Rust Programming Language: 1.0.0 - 1.66.0

External links
https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 22.03 LTS SP3 update for rust

openEuler 22.03 LTS SP4 update for rust

Gentoo update for Rust

Amazon Linux AMI update for rust

Fedora 37 update for rust

Fedora 36 update for rust

SUSE update for rust1.65

SUSE update for rust1.66

MitM attack in Rust Cargo