Version 0.6.0 of the simple_asn1 crate panics on certain malformed inputs to its parsing functions, including from_der and der_decode. Because this crate is frequently used with inputs from the network, this should be considered a security vulnerability.

The issue occurs when parsing the old ASN.1 "UTCTime" time format. If an attacker provides a UTCTime where the first character is ASCII but the second character is above 0x7f, a string slice operation in the from_der_ function will try to slice into the middle of a UTF-8 character, and cause a panic.

This error was introduced in commit d7d39d709577710e9dc8, which updated simple_asn1 to use time instead of chrono because of RUSTSEC-2020-159. Versions of simple_asn1 before 0.6.0 are not affected by this issue.

The patch was applied in simple_asn1 version 0.6.1.

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.