Lucene search
GoogleOSV:GO-2022-0425HistoryFeb 15, 2022 - 1:57 a.m.
Weak encryption and denial of service in github.com/flynn/noise
2022-02-1501:57:18
Google
osv.dev
10
weak encryption
denial of service
noise protocol
cryptographic security
dos attack
nonce counter
key re-use
decrypt function
nonce desynchronization
EPSS
0.001
Percentile
34.6%
The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack.
After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce.
In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.
References
Related
osv
osv
Noise vulnerable to denial of service
2022-12-28 00:30:23
flynn/noise has improper nonce handling yielding potential state DoS
2022-02-15 01:57:18
ubuntucve
ubuntucve
CVE-2021-4239
2022-12-27 00:00:00
nvd
nvd
CVE-2021-4239
2022-12-27 22:15:12
github
github
Noise vulnerable to denial of service
2022-12-28 00:30:23
debiancve
debiancve
CVE-2021-4239
2022-12-27 22:15:12
cvelist
cvelist
prion
prion
Design/Logic Flaw
2022-12-27 22:15:00
cve
cve
CVE-2021-4239
2022-12-27 22:15:12
veracode
veracode
Uncontrolled Resource Consumption
2023-01-11 05:54:52