CVSS 5.3 CVE-2022-46176

CVSS 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don’t explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git’s [url.<base>.insteadOf][1] setting), as that’d cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server’s public key is not already trusted. We recommend everyone to upgrade as soon as possible.

Description

A security vulnerability was found in Cargo, a package manager for Rust, which was closed with the release of Rust 1.66.1.

Due to a missing SSH host key check when cloning indexes and dependencies, Cargo is vulnerable to Man in the Middle attacks. This vulnerability has been assigned CVE-2022-46176 and given a CVSS score of 5.3. All Rust versions prior to 1.66.1 are affected by this vulnerability.

To prevent Man in the Middle attacks via SSH, the SSH host key must be verified. If the host key has changed, the connection must be terminated. During the security check, it was discovered that this function was not previously implemented in Cargo.

This vulnerability allows supply chain attacks during software development or creation by an attacker redirecting the connection to another server and providing a modified repository instead of the original Git repository, which can contain ransomware and other malicious code.

Mitigation

It is recommended to upgrade to Rust 1.66.1 or newer in a timely manner, which provides a secured version of Cargo.

If updating Rust is not possible, the configuration of Cargo must be changed to use git from the OpenSSH project as the source instead of Cargo’s built-in git support.

The following setting is required in the Cargo configuration file for this:

[net]
git-fetch-with-cli = true

This vulnerability was found by the Julia Security Team and reported to the Rust Team as part of a Responsible Disclosure.

Release Notes 1.66.1

  • Added validation of SSH host keys for git URLs in Cargo (CVE-2022-46176)

References