A bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. We recommend replacing any RSA keys that were generated using keypair version 1.0.3 or earlier.
9596418
.9596418
The specific line with the flaw is:
b.putByte(String.fromCharCode(next & 0xFF))
The definition of putByte
is
util.ByteBuffer.prototype.putByte = function(b) {
this.data += String.fromCharCode(b);
};
Simplified, this is String.fromCharCode(String.fromCharCode(next & 0xFF))
. This results in most of the buffer containing zeros. An example generated buffer:
(Note: truncated for brevity)
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x04\x00\x00\x00....\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
Since it is masking with 0xFF, approximately 97% of the bytes are converted to zeros. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion.
This issue was reported to GitHub Security Lab by Ross Wheeler of Axosoft. It was discovered by Axosoft engineer Dan Suceava, who noticed that keypair was regularly generating duplicate RSA keys. GitHub security engineer @vcsjones (Kevin Jones) independently investigated the problem and identified the cause and source code location of the bug.
github.com/juliangruber/keypair
github.com/juliangruber/keypair/commit/9596418d3363d3e757676c0b6a8f2d35a9d1cb18
github.com/juliangruber/keypair/releases/tag/v1.0.4
github.com/juliangruber/keypair/security/advisories/GHSA-3f99-hvg4-qjwj
nvd.nist.gov/vuln/detail/CVE-2021-41117
securitylab.github.com/advisories/GHSL-2021-1012-keypair