The Security Response Working Group of the Rust Community has on an indication of a vulnerability when creating API keys for the on crates.IO managed packages reacts. As a consequence, the team has accessed all API-Keys, and developers have to be on the crates.IO page create new key.
In the programming language Rust the packages Crates, and the package manager called Cargo manages the dependencies. The page Crates.IO is a registry for the packages of the rust community, on which developers can store their own crates and must specify the Dependencies. When writing this message there were good 43.000 packages.
Not quite random
The reported vulnerability refers to an insecure method of random numbers. crate.Io recently put on the Random Function of PostgreSQL, which is not a cryptographically safe random number generator. Theoretically, attackers had thus to determine the internal state of the generator by analyzing a sufficiently coarse amount of random numbers.
This information in turn mimited to measure backlens on API-Keys since the last reboot of the database server. When examining, the workgroup is gestable to another scouts: Obviously, the API keys in plain text were in the database. Thus, attackers who gain access to the database in any way, just read the key.
Ruckung and fresh code
According to the association of the Security Response Working Group, the practical risk is low due to the weak points. Notes that attackers had already exploited them, do not exist according to the working group.
Nevertheless, she decided to bring back all existing API Keys. Developers can be on crates.IO / ME Create new key. The page requires registration or registration. Meanwhile, the Rust team has adapted the code, which now uses a cryptographically secure random number generator, and the tokens over hashes in the database.
From the report to fix
Details can be found in the rust blog. He also lists a short time demolition of events: the notification of the vulnerability was therefore in the afternoon (UTC and thus two hours before the Central European Summer Time) of the 11. July 2020 On, the same evening the team has confirmed her and a fix was planned at night, whose development in the morning of the 13. July started. At the 14th. July, the developers have tested the code change, rolled out and disclosed the weak point publicly announced.