#VU63701 Use of a broken or risky cryptographic algorithm in elliptic - CVE-2020-28498

Cybersecurity Help s.r.o.

Published: 2022-05-26 | Updated: 2022-05-26

Vulnerability identifier: #VU63701

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-28498

CWE-ID: CWE-327

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
elliptic
Web applications / JS libraries

Vendor: indutny

Description
The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to cryptographic issues in the secp256k1 implementation in elliptic/ec/key.js. A remote attacker can pass specially crafted public key point to the application and gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

elliptic: 0.1.0 - 6.5.3

External links
https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836
https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

Multiple vulnerabilities in IBM QRadar User Behavior Analytics

Multiple vulnerabilities in IBM Security QRadar Analyst Workflow

Use of a broken or risky cryptographic algorithm in indutny elliptic