CVE-2023-32691: 
vulnerability analysis and mitigation

gost (GO Simple Tunnel) is a simple tunnel written in golang that contains a timing attack vulnerability (CVE-2023-32691) discovered in versions up to 2.11.5. The vulnerability was published on May 30, 2023, and affects the authentication mechanism of the software (NVD, GitHub Advisory).

The vulnerability stems from insecure comparison of sensitive information in the authentication process. Specifically, in auth.go (line 46), untrusted input sourced from an HTTP header is directly compared with a secret using a non-constant-time comparison operation. The vulnerability is classified as CWE-203 (Observable Discrepancy) with a CVSS v3.1 base score of 5.9 (Medium), indicating network vector with high attack complexity (NVD).

An attacker can potentially mount a side-channel timing attack to guess passwords, tokens, or API keys by observing differences in processing time between valid and invalid inputs. This could lead to unauthorized access to protected resources (GitHub Advisory).

The recommended fix is to use a constant-time comparison function such as crypto/subtle's ConstantTimeCompare. A patch has been provided that implements this solution by replacing the direct string comparison with the secure constant-time comparison function (GitHub Advisory).