Unauthenticated encryption is vulnerable to chosen ciphertext attacks, bitflipping attacks

[tarcieri]

This gem is using an unauthenticated encryption mode (CBC) which is vulnerable to chosen ciphertext attacks (i.e. it is not IND-CCA secure)

This is a serious issue which can allow active attackers to completely recover message plaintexts. It also allows attackers to make undetectable alterations to the plaintext.

At the very minimum you should add HMAC in an encrypt-then-MAC construction.

[fsck-mount]

Is that something, that we can avoid using Random IV?

[tarcieri]

No, failure to use a random IV (#4) is a separate, unrelated, but still very bad problem.

[fsck-mount]

@tarcieri Thanks for the info.

[jfinkhaeuser]

FYI, in case you're trying to follow the same path as me:

• Create a CVE request at http://cve.mitre.org/ - You'll get a CVE ID a day or so later.
• Create a report at https://rubysec.com/, quoting the CVE ID (they really need it even if it's not a required field)
• If people use https://github.com/rubysec/bundler-audit (they should), the reports will crop up.

[jfinkhaeuser]

I'm just sad it took me four years to figure out that this path works just fine... ugh. It should not have surprised me.

[attritionorg]

@jfinkhaeuser That web form is a new thing created this year, in response to MITRE failing to issue IDs in a timely fashion via e-mail.