CVE-2024-58261: Sequoia-OpenPGP Crate Vulnerable to Infinite Loop

This blog post details CVE-2024-58261, an infinite loop vulnerability affecting the sequoia-openpgp crate for Rust. This flaw can lead to a denial-of-service condition when processing malformed OpenPGP certificates.

Vulnerability Details

CVE ID: CVE-2024-58261
Description: The sequoia-openpgp crate versions 1.13.0 before 1.21.0 are susceptible to an infinite loop vulnerability. This occurs when the RawCertParser encounters an unsupported primary key type during certificate processing, leading to repeated "Reading a cert: Invalid operation: Not a Key packet" messages and preventing further processing.
CVSS Score: 2.9 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Explanation: This vulnerability has a low CVSS score because it requires local access and high attack complexity. The impact is limited to a low level of confidentiality impact. While it can cause a denial of service, it does not allow for arbitrary code execution or data modification. The attack complexity is high because triggering the vulnerability requires a specifically crafted OpenPGP certificate with an unsupported key type.
Exploit Requirements: An attacker needs to provide a specially crafted OpenPGP certificate to a system using the vulnerable sequoia-openpgp crate. This certificate must contain an unsupported primary key type.
Affected Vendor: Sequoia-PGP
Affected Product: sequoia-openpgp crate
Affected Version: 1.13.0 before 1.21.0
CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CWE Explanation: CWE-835 describes situations where a loop lacks a proper exit condition, causing it to run indefinitely. In this case, the RawCertParser doesn't handle unsupported key types correctly, resulting in an endless loop of error messages.

Timeline of Events

2024: Vulnerability discovered and reported.
2025-07-27: CVE-2024-58261 assigned.
2025-07-27: Public disclosure and advisory released.
Post 2025-07-27: Patched versions (>= 1.21.0) released.

Exploitability & Real-World Risk

While the CVSS score is low, the vulnerability can be triggered in real-world scenarios where applications process OpenPGP certificates from untrusted sources. For example, a mail server or key management system using the vulnerable crate could be targeted by an attacker providing a malicious certificate. This could lead to a denial of service, impacting the availability of the service.

Recommendations

Update to version 1.21.0 or later: The vulnerability is fixed in version 1.21.0 of the sequoia-openpgp crate. Update your dependencies to this version or a later one.
Sanitize inputs: When processing OpenPGP certificates from untrusted sources, consider implementing additional checks and sanitization to prevent the processing of malformed or malicious certificates.

Technical Insight

The infinite loop occurs within the RawCertParser when it encounters a primary key type it doesn't support. Instead of properly handling the error and moving on, it gets stuck in a loop, repeatedly trying to process the invalid key. The fix likely involves adding proper error handling for unsupported key types, ensuring the parser can gracefully skip them and continue processing the certificate.

Credit to Researcher(s)

The discovery and reporting of this vulnerability are credited to the Sequoia-PGP project contributors.

CVE-2024-58261: Sequoia-OpenPGP Crate Vulnerable to Infinite Loop

CVE-2024-58261: Sequoia-OpenPGP Crate Vulnerable to Infinite Loop

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form