Описание
RSA PKCS#1 decryption vulnerability with prepending zeros in jsrsasign
Impact
Jsrsasign supports RSA PKCS#1 v1.5 (i.e. RSAES-PKCS1-v1_5) and RSA-OAEP encryption and decryption. Its encrypted message is represented as BigInteger. When there is a valid encrypted message, a crafted message with prepending zeros can be decrypted by this vulnerability.
- If you don't use RSA PKCS1-v1_5 or RSA-OAEP decryption, this vulnerability is not affected.
- Risk to forge contents of encrypted message is very low.
- Risk to raise memory corruption is low since jsrsasign uses BigInteger class.
Patches
Users using RSA PKCS1-v1_5 or RSA-OAEP decryption should upgrade to 8.0.18.
Workarounds
Reject RSA PKCS1-v1_5 or RSA-OAEP encrypted message with unnecessary prepending zeros.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-14967 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14967 https://vuldb.com/?id.157124 https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html#.decrypt https://github.com/kjur/jsrsasign/issues/439
Ссылки
- https://github.com/kjur/jsrsasign/security/advisories/GHSA-xxxq-chmp-67g4
- https://nvd.nist.gov/vuln/detail/CVE-2020-14967
- https://github.com/kjur/jsrsasign/issues/439
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14967
- https://github.com/kjur/jsrsasign/releases/tag/8.0.17
- https://github.com/kjur/jsrsasign/releases/tag/8.0.18
- https://kjur.github.io/jsrsasign
- https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html#.decrypt
- https://security.netapp.com/advisory/ntap-20200724-0001
- https://vuldb.com/?id.157124
- https://www.npmjs.com/package/jsrsasign
Пакеты
jsrsasign
< 8.0.18
8.0.18
Связанные уязвимости
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.