CVE-2021-33589: 
NixOS vulnerability analysis and mitigation

RNP (Ribose Network Protocol) versions before 0.15.1 contained a vulnerability related to cryptographic key protection. The vulnerability, identified as CVE-2021-33589, was discovered when a key decrypted through rnp_key_unprotect would remain unprotected after a subsequent call of rnp_key_protect, resulting in weaker encryption than intended. This issue was initially discovered in Thunderbird versions 78.8.1 to 78.10.1 (Ribose Advisory).

The vulnerability stems from improper handling of key protection settings during cryptographic operations. When rnp_key_unprotect is called to decrypt key data, it overwrites key protection settings and stores key data in unprotected form. Subsequently, when rnp_key_protect is called, the key protection settings are not properly copied within RNP, leaving key material exposed. This differs from the rnp_key_unlock function, which is designed to temporarily decrypt secret key data without overwriting key protection settings (Ribose Advisory).

The vulnerability results in insufficient protection of credentials and insecure storage of sensitive information. When exploited, it could lead to exposure of sensitive cryptographic key material, potentially compromising the security of encrypted communications. The issue is classified under CWE-522 (Insufficiently Protected Credentials) and CWE-922 (Insecure Storage of Sensitive Information) (Ribose Advisory).

The issue has been fixed in RNP version 0.15.1 and later releases, where rnp_key_protect properly implements re-protection for keys that have been 'unprotected' by rnp_key_unprotect. For systems with unprotected keys saved outside of RNP, a re-protection step needs to be applied. Thunderbird has implemented auto-re-protection in its latest release to address this vulnerability (Ribose Advisory).