A hostile server can send a small iteration counter (e.g. 1) and forces the client to send a ClientProof that is calculated with lowest computation time. Thus the hostile server can faster recover the client's password with an offline dictionary or brute-force attack.
Neustradamus
commented
8 months ago
Problem: Using mechanism SCRAM, the client does not abort authentication when the given iteration counter is lower than 4096.
See https://github.com/cyrusimap/cyrus-sasl/blob/cyrus-sasl-2.1.28/plugins/scram.c#L2457
A hostile server can send a small iteration counter (e.g. 1) and forces the client to send a ClientProof that is calculated with lowest computation time. Thus the hostile server can faster recover the client's password with an offline dictionary or brute-force attack.