Integer overflow in Nimbus JOSE+JWT

#VU24175 Integer overflow in Nimbus JOSE+JWT

Cybersecurity Help s.r.o.

Published: 2020-01-10

Vulnerability identifier: #VU24175

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12972

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nimbus JOSE+JWT
Universal components / Libraries / Libraries used by multiple products

Vendor: Connect2id Ltd.

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to integer overflow when converting length values from bytes to bits in Nimbus JOSE+JWT. A remote attacker can shift Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC, trigger integer overflow and bypass HMAC authentication.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Nimbus JOSE+JWT: 4.0 - 4.39

External links
http://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c
http://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc
http://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
http://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM PureData System for Operational Analytics

Multiple vulnerabilities in Nimbus JOSE+JWT