Improper Verification of Cryptographic Signature in Cargo and Rust Programming Language

#VU71491 Improper Verification of Cryptographic Signature in Cargo and Rust Programming Language

Published: 2023-01-24

Vulnerability identifier: #VU71491

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-46176

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cargo
/
Rust Programming Language
Universal components / Libraries / Programming Languages & Components

Vendor: The Rust Programming Language
Rust Team

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to Cargo does not perform SSH host key verification when cloning indexes and dependencies via SSH. A remote attacker can perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cargo: 0.0.1-pre - 0.67.0

Rust Programming Language: 1.0.0 - 1.66.0

CPE

cpe:2.3::rust-lang:cargo:0.67.0:*:*:*:*:*:*:*

External links
http://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
http://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

SUSE update for rust1.65

SUSE update for rust1.66

MitM attack in Rust Cargo