#VU29196 Cryptographic issues in elliptic - CVE-2020-13822

Cybersecurity Help s.r.o.

Published: 2020-06-22 | Updated: 2020-07-30

Vulnerability identifier: #VU29196

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-13822

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
elliptic
Web applications / JS libraries

Vendor: indutny

Description

The vulnerability allows a remote attacker to comrpomise the target system.

The vulnerability exists due to the affected software allows ECDSA signature malleability via variations in encoding, leading "\0" bytes, or integer overflows. A remote attacker can cause a security-relevant impact if an application relied on a single canonical signature.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

elliptic: 6.5.2

External links
https://github.com/indutny/elliptic/issues/226
https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4
https://www.npmjs.com/package/elliptic
https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/
https://www.npmjs.com/advisories/1547

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

Cryptographic issues in elliptic package for npm