CVE-2019-16143

Vulnerability

Detail

The blake2 Rust crate (versions prior to 0.8.1) contains a critical flaw in its implementation of the BLAKE2b and BLAKE2s hash algorithms when used as the underlying hash function for Hash-based Message Authentication Code (HMAC). The root cause is that the internal block sizes used by these algorithms were set to half of the required sizes mandated by the HMAC specification [2]. This leads to incorrect computation of HMAC tags for any message and key combination.

Exploitation

An attacker can exploit this vulnerability without any privileges or user interaction, as the HMAC computation is performed on the server or client side. The attack vector is network-based, and the only prerequisite is a system using the vulnerable blake2 crate together with an HMAC implementation to process authentication tags. For example, a prototype mismatch was demonstrated where an empty key and empty message produced a digest completely different from the correct Go reference implementation [3].

Impact

Successful exploitation allows an attacker to bypass authentication mechanisms that rely on HMAC with BLAKE2. Since HMAC is commonly used for message integrity and authenticity in protocols such as TLS, JWT, or custom API authentication, an attacker could forge authentication tokens, tamper with messages, or impersonate legitimate parties. The CVSS score is 9.8 (Critical) due to the high impact on confidentiality, integrity, and availability [2].

Mitigation

The issue is fixed in version 0.8.1 of the blake2 crate, which corrects the block size constants to match the required values [2]. Users should update to at least 0.8.1 and rebuild all artifacts that depend on the crate. There is no known workaround other than upgrading, as the root cause is in the hash algorithm's block size parameters.