nvd-json-data-feeds/CVE-2021/CVE-2021-411xx/CVE-2021-41117.json

{
  "id": "CVE-2021-41117",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-10-11T17:15:07.973",
  "lastModified": "2021-10-19T02:19:20.640",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output. Issue 1: Poor random number generation (`GHSL-2021-1012`). The library does not rely entirely on a platform provided CSPRNG, rather, it uses it's own counter-based CMAC approach. Where things go wrong is seeding the CMAC implementation with \"true\" random data in the function `defaultSeedFile`. In order to seed the AES-CMAC generator, the library will take two different approaches depending on the JavaScript execution environment. In a browser, the library will use [`window.crypto.getRandomValues()`](https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L971). However, in a nodeJS execution environment, the `window` object is not defined, so it goes down a much less secure solution, also of which has a bug in it. It does look like the library tries to use node's CSPRNG when possible unfortunately, it looks like the `crypto` object is null because a variable was declared with the same name, and set to `null`. So the node CSPRNG path is never taken. However, when `window.crypto.getRandomValues()` is not available, a Lehmer LCG random number generator is used to seed the CMAC counter, and the LCG is seeded with `Math.random`. While this is poor and would likely qualify in a security bug in itself, it does not explain the extreme frequency in which duplicate keys occur. The main flaw: The output from the Lehmer LCG is encoded incorrectly. The specific [line][https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L1008] with the flaw is: `b.putByte(String.fromCharCode(next & 0xFF))` The [definition](https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L350-L352) of `putByte` is `util.ByteBuffer.prototype.putByte = function(b) {this.data += String.fromCharCode(b);};`. Simplified, this is `String.fromCharCode(String.fromCharCode(next & 0xFF))`. The double `String.fromCharCode` is almost certainly unintentional and the source of weak seeding. Unfortunately, this does not result in an error. Rather, it results most of the buffer containing zeros. Since we are masking with 0xFF, we can determine that 97% of the output from the LCG are converted to zeros. The only outputs that result in meaningful values are outputs 48 through 57, inclusive. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion. When it is not, the bytes are 0 through 9. In summary, there are three immediate concerns: 1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and `Math.random`. 2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available. 3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero. Due to the poor random number generation, keypair generates RSA keys that are relatively easy to guess. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim."
    },
    {
      "lang": "es",
      "value": "keypair es un generador de claves RSA PEM escrito en javascript. keypair implementa un mont\u00f3n de primitivas criptogr\u00e1ficas por s\u00ed mismo o tomando prestado de otras bibliotecas cuando es posible, incluyendo node-forge. Se detect\u00f3 un problema en el que esta biblioteca genera claves RSA id\u00e9nticas a las usadas en SSH. Esto significa que la biblioteca est\u00e1 generando valores P, Q (y por lo tanto N) id\u00e9nticos, lo cual, en t\u00e9rminos pr\u00e1cticos, es imposible con claves RSA-2048. Generar valores id\u00e9nticos, repetidamente, indica un problema de generaci\u00f3n de n\u00fameros aleatorios pobre, o, un manejo inapropiado de la salida del CSPRNG. Problema 1: Generaci\u00f3n inapropiada de n\u00fameros aleatorios (\"GHSL-2021-1012\"). La biblioteca no se basa completamente en un CSPRNG proporcionado por la plataforma, sino que usa su propio enfoque CMAC basado en contadores. Donde las cosas van inapropiadamente es al sembrar la implementaci\u00f3n de CMAC con datos aleatorios \"true\" en la funci\u00f3n \"defaultSeedFile\". Para sembrar el generador de AES-CMAC, la biblioteca toma dos enfoques diferentes dependiendo del entorno de ejecuci\u00f3n de JavaScript. En un navegador, la biblioteca usa [\"window.crypto.getRandomValues()\"](https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L971). Sin embargo, en un entorno de ejecuci\u00f3n nodeJS, el objeto \"window\" no est\u00e1 definido, por lo que se recurre a una soluci\u00f3n mucho menos segura, que presenta un bug. Parece que la librer\u00eda intenta usar el CSPRNG de node cuando es posible, desafortunadamente, parece que el objeto \"crypto\" es nulo porque se declar\u00f3 una variable con el mismo nombre, y se estableci\u00f3 como \"null\". La ruta del CSPRNG del nodo nunca se toma. Sin embargo, cuando \"window.crypto.getRandomValues()\" no est\u00e1 disponible, se usa un generador de n\u00fameros aleatorios LCG de Lehmer para sembrar el contador CMAC, y el LCG es sembrado con \"Math.random\". Mientras que esto es pobre y probablemente calificar\u00eda en un fallo de seguridad en s\u00ed mismo, no explica la extrema frecuencia en la que se producen claves duplicadas. El principal fallo: la salida del LCG de Lehmer est\u00e1 codificada incorrectamente. La [l\u00ednea][https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L1008] espec\u00edfica con el fallo es: \"b.putByte(String.fromCharCode(next & 0xFF))\" La [definici\u00f3n](https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L350-L352) de \"putByte\" es \"util.ByteBuffer.prototype.putByte = function(b) {this.data += String.fromCharCode(b);};\". Simplificado, esto es \"String.fromCharCode(String.fromCharCode(next & 0xFF))\". El doble \"String.fromCharCode\" es casi seguro que no es intencionado y es el origen de una semilla d\u00e9bil. Esto no resulta en un error. Hace que la mayor parte del buffer contenga ceros. Al estar enmascarando con 0xFF, podemos determinar que el 97% de las salidas del LCG se convierten en ceros. Las \u00fanicas salidas que resultan en valores significativos son las salidas 48 a 57, inclusive. El impacto es que cada byte en la semilla RNG presenta un 97% de posibilidades de ser 0 debido a una conversi\u00f3n incorrecta. Cuando no lo es, los bytes son del 0 al 9. En resumen, hay tres preocupaciones inmediatas: 1. La biblioteca presenta una ruta de retorno de n\u00fameros aleatorios no segura. Lo ideal es que la biblioteca requiriera un CSPRNG fuerte en lugar de intentar usar un LCG y \"Math.random\". 2. La librer\u00eda no usa correctamente un generador de n\u00fameros aleatorios fuerte cuando se ejecuta en NodeJS, incluso cuando un CSPRNG fuerte est\u00e1 disponible. 3. La ruta de retorno tiene un problema en la implementaci\u00f3n donde la mayor\u00eda de los datos de la semilla ser\u00e1n efectivamente cero. Debido a la pobre generaci\u00f3n de n\u00fameros aleatorios, keypair genera claves RSA que son relativamente f\u00e1ciles de adivinar. Esto podr\u00eda permitir a un atacante descifrar mensajes confidenciales o conseguir acceso autorizado a una cuenta perteneciente a la v\u00edctima"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.8
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.4
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-335"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:keypair_project:keypair:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "1.0.4",
              "matchCriteriaId": "36FA382B-7E16-4FDE-B638-56D2FE66602E"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/juliangruber/keypair/security/advisories/GHSA-3f99-hvg4-qjwj",
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://securitylab.github.com/advisories/GHSL-2021-1012-keypair/",
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}