Lucene search

2022-05-2419:20:12

CWE-347

GitHub Advisory Database

github.com

8

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

68.9%

Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and verification. These popular libraries are meant to be used to integrate with the Stark Bank ecosystem, but are also accessible on popular package manager platforms in order to be used by other projects. The node package manager reports around 16k weekly downloads for the ecdsa-node implementation while the Python implementation boasts over 7.3M downloads in the last 90 days on PyPI. A number of these libraries suffer from a vulnerability in the signature verification functions, allowing attackers to forge signatures for arbitrary messages which successfully verify with any public key.

An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.

The (slightly simplified) ECDSA verification of a signature * (r, s)* on a hashed message

The (slightly simplified) ECDSA verification of a signature * (r, s)* on a hashed message

- Check that
and**r**are integers in the**s**range, return Invalid if not.**[1, n-1]** - Compute
and**u<sub>1</sub> = zs<sup>-1</sup> mod n**.**u<sub>2</sub> = rs<sup>-1</sup> mod n** - Compute the elliptic curve point
, return Invalid if**(x, y) = u<sub>1</sub>G + u<sub>2</sub>Q**is the point at infinity.**(x, y)** - Return Valid if
, Invalid otherwise.**r ≡ x mod n**

The ECDSA signature verification functions in the libraries listed above fail to perform the first check, ensuring that the r and s components of the signatures are in the correct range. Specifically, the libraries are not checking that the components of the signature are non-zero, which is an important check mandated by the standard, see X9.62:2005, Section 7.4.1/a:

> 1. If * r’* is not an integer in the interval

> 2. If

For example, consider the following excerpt of the verify function from the ecdsa-python implementation.

```
def verify(cls, message, signature, publicKey, hashfunc=sha256):
byteMessage = hashfunc(toBytes(message)).digest()
numberMessage = numberFromByteString(byteMessage)
curve = publicKey.curve
r = signature.r
s = signature.s
inv = Math.inv(s, curve.N)
u1 = Math.multiply(curve.G, n=(numberMessage * inv) % curve.N, N=curve.N, A=curve.A, P=curve.P)
u2 = Math.multiply(publicKey.point, n=(r * inv) % curve.N, N=curve.N, A=curve.A, P=curve.P)
add = Math.add(u1, u2, A=curve.A, P=curve.P)
modX = add.x % curve.N
return r == modX
```

In that code snippet, the values `r`

and `s`

are extracted from the signature without any range check. An attacker supplying a signature equal to `(r, s) = (0, 0)`

will not see their signature rejected. Proceeding with the verification, this function computes the inverse of the `s`

component. Note that the `Math.inv()`

function returns zero when supplied with a zero input (even though 0 does not admit an inverse). The code then computes the values `u1 = inv * numberMessage * G`

and `u2 = inv * r * Q`

, but since `inv`

is zero, `u1`

and `u2`

will both be zero, i.e., the point at infinity, regardless of the value of numberMessage (the message hash, which we called * z* above) and

`0 == 0`

for all any message and any public key. Therefore, a signature `(r, s) = (0, 0)`

is deemed valid by the code for any message, and under any public key.Users of the different Stark Bank ECDSA libraries should update to the latest versions. Specifically, versions larger or at least equal to the following should be used.

- ecdsa-python: v2.0.1
- ecdsa-java: v1.0.1
- ecdsa-dotnet: v1.3.2
- ecdsa-elixir v1.0.1
- ecdsa-node v1.1.3

ecdsaelixirMatch1.0.0

CPE | Name | Operator | Version |
---|---|---|---|

ecdsa-elixir | eq | 1.0.0 |

github.com/advisories/GHSA-xx36-6rv4-gj8r

github.com/starkbank/ecdsa-elixir/commit/4b960e26768bb698f449eb7686b5664936b70b61

github.com/starkbank/ecdsa-elixir/commit/a5168f6d9cfbe0a0a62d92e2e9b1a97235d90343

github.com/starkbank/ecdsa-elixir/releases/tag/v1.0.1

nvd.nist.gov/vuln/detail/CVE-2021-43568

research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

68.9%

Related for GHSA-XX36-6RV4-GJ8R