GHSA-8vxv-2g8p-2249: Observable Timing Discrepancy in totp-rs

Observable Timing Discrepancy in totp-rs

Moderate severity GitHub Reviewed Published May 24, 2022 in constantoine/totp-rs • Updated May 24, 2022

Package

cargo totp-rs (Rust )

Affected versions

< 1.1.0

Patched versions

1.1.0

Description

Impact

Token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless.

Patches

Library now used constant-time comparison.

Workarounds

No.

For more information

If you have any questions or comments about this advisory:

• Open an issue in totp-rs
• Email us at [email protected]

References

• GHSA-8vxv-2g8p-2249
• https://nvd.nist.gov/vuln/detail/CVE-2022-29185
• constantoine/totp-rs#13
• https://github.com/constantoine/totp-rs/releases/tag/v1.1.0

constantoine published the maintainer security advisory

May 9, 2022

Severity

Moderate

4.2

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

High

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Weaknesses

CWE-203

CVE ID

CVE-2022-29185

GHSA ID

GHSA-8vxv-2g8p-2249

Source code

constantoine/totp-rs

Dependabot alerts are not supported on some or all of the ecosystems on this advisory.

Learn more about GitHub language support

Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.