Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseRUSTSEC-2024-0430
RUSTSEC-2024-0430:
Rust vulnerability analysis and mitigation
Overview
The vulnerability (RUSTSEC-2024-0430) affects the rust-magiccrypt crate, which was found to use multiple insecure cryptographic algorithms and implementations that do not guarantee data integrity. The issue was discovered and reported on December 28, 2024, highlighting significant security concerns in the crate's implementation up to version 4.0.1 (GitHub Issue).
Technical details
The vulnerability encompasses multiple cryptographic implementation issues across different variants of the crate. MagicCrypt64 uses the broken DES block cipher and inappropriately uses CRC64 for key derivation. MagicCrypt128 implements AES-128-CBC but uses the insecure MD5 hash function for key and IV generation. MagicCrypt192 uses AES-192-CBC with the Tiger hash function, while MagicCrypt256 employs AES-256-CBC with SHA-256 for key hashing. None of these implementations include message authentication codes (MAC), making them vulnerable to padding oracle attacks due to their use of PKCS#7 without MAC. Additionally, there is undefined behavior in memory handling (GitHub Issue).
Impact
The vulnerabilities expose users to various security risks including potential data breaches through padding oracle attacks, susceptibility to modification attacks due to lack of message authentication, and possible exploitation through broken cryptographic algorithms. The use of insecure key derivation methods also makes the encrypted data vulnerable to brute force attacks (GitHub Issue).
Mitigation and workarounds
Users are strongly advised against using this crate in its current state. For alternative solutions, it is recommended to use ChaCha20Poly1305 for encryption with Argon2id for key generation from passwords. When implementing these alternatives, it's crucial to never reuse ChaCha20Poly1305's nonce for the same key and always generate new random salts for Argon2id. For specific use cases, it is recommended to consult with a cryptographer (GitHub Issue).
Community reactions
Security researchers have recommended archiving the GitHub repository and other MagicCrypt libraries, along with adding clear warnings in the documentation about the security risks. The community has acknowledged these issues, with security experts confirming the severity of the vulnerabilities and supporting the creation of a security advisory (GitHub Issue).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management