|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Security advisory for Cargo (CVE-2022-46176)" |
| 4 | +author: The Rust Security Response WG |
| 5 | +--- |
| 6 | + |
| 7 | +> This is a cross-post of [the official security advisory][advisory]. The |
| 8 | +> official advisory contains a signed version with our PGP key, as well. |
| 9 | +
|
| 10 | +[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/v5cFFJ7T0RY |
| 11 | + |
| 12 | +The Rust Security Response WG was notified that Cargo did not perform SSH host |
| 13 | +key verification when cloning indexes and dependencies via SSH. An attacker |
| 14 | +could exploit this to perform man-in-the-middle (MITM) attacks. |
| 15 | + |
| 16 | +This vulnerability has been assigned CVE-2022-46176. |
| 17 | + |
| 18 | +## Overview |
| 19 | + |
| 20 | +When an SSH client establishes communication with a server, to prevent MITM |
| 21 | +attacks the client should check whether it already communicated with that |
| 22 | +server in the past and what the server's public key was back then. If the key |
| 23 | +changed since the last connection, the connection must be aborted as a MITM |
| 24 | +attack is likely taking place. |
| 25 | + |
| 26 | +It was discovered that Cargo never implemented such checks, and performed no |
| 27 | +validation on the server's public key, leaving Cargo users vulnerable to MITM |
| 28 | +attacks. |
| 29 | + |
| 30 | +## Affected Versions |
| 31 | + |
| 32 | +All Rust versions containing Cargo before 1.66.1 are vulnerable. |
| 33 | + |
| 34 | +Note that even if you don't explicitly use SSH for alternate registry indexes |
| 35 | +or crate dependencies, you might be affected by this vulnerability if you have |
| 36 | +configured git to replace HTTPS connections to GitHub with SSH (through git's |
| 37 | +[`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the |
| 38 | +crates.io index through SSH. |
| 39 | + |
| 40 | +## Mitigations |
| 41 | + |
| 42 | +We will be releasing Rust 1.66.1 today, 2023-01-10, changing Cargo to check the |
| 43 | +SSH host key and abort the connection if the server's public key is not already |
| 44 | +trusted. We recommend everyone to upgrade as soon as possible. |
| 45 | + |
| 46 | +Patch files for Rust 1.66.0 are also available [here][2] for custom-built |
| 47 | +toolchains. |
| 48 | + |
| 49 | +For the time being Cargo will not ask the user whether to trust a server's |
| 50 | +public key during the first connection. Instead, Cargo will show an error |
| 51 | +message detailing how to add that public key to the list of trusted keys. Note |
| 52 | +that this might break your automated builds if the hosts you clone dependencies |
| 53 | +or indexes from are not already trusted. |
| 54 | + |
| 55 | +## Acknowledgments |
| 56 | + |
| 57 | +Thanks to the Julia Security Team for disclosing this to us according to our |
| 58 | +[security policy][1]! |
| 59 | + |
| 60 | +We also want to thank the members of the Rust project who contributed to fixing |
| 61 | +this issue. Thanks to Eric Huss and Weihang Lo for writing and reviewing the |
| 62 | +patch, Pietro Albini for coordinating the disclosure and writing this advisory, |
| 63 | +and Josh Stone, Josh Triplett and Jacob Finkelman for advising during the |
| 64 | +disclosure. |
| 65 | + |
| 66 | +[1]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf |
| 67 | +[2]: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176 |
| 68 | +[3]: https://www.rust-lang.org/policies/security |
0 commit comments