CVE-2021-41117
KeyPair - Weak Random Number Generation Allows Guessable RSA Keys
Description
keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output. Issue 1: Poor random number generation (`GHSL-2021-1012`). The library does not rely entirely on a platform provided CSPRNG, rather, it uses it's own counter-based CMAC approach. Where things go wrong is seeding the CMAC implementation with "true" random data in the function `defaultSeedFile`. In order to seed the AES-CMAC generator, the library will take two different approaches depending on the JavaScript execution environment. In a browser, the library will use [`window.crypto.getRandomValues()`](https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L971). However, in a nodeJS execution environment, the `window` object is not defined, so it goes down a much less secure solution, also of which has a bug in it. It does look like the library tries to use node's CSPRNG when possible unfortunately, it looks like the `crypto` object is null because a variable was declared with the same name, and set to `null`. So the node CSPRNG path is never taken. However, when `window.crypto.getRandomValues()` is not available, a Lehmer LCG random number generator is used to seed the CMAC counter, and the LCG is seeded with `Math.random`. While this is poor and would likely qualify in a security bug in itself, it does not explain the extreme frequency in which duplicate keys occur. The main flaw: The output from the Lehmer LCG is encoded incorrectly. The specific [line][https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L1008] with the flaw is: `b.putByte(String.fromCharCode(next & 0xFF))` The [definition](https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L350-L352) of `putByte` is `util.ByteBuffer.prototype.putByte = function(b) {this.data += String.fromCharCode(b);};`. Simplified, this is `String.fromCharCode(String.fromCharCode(next & 0xFF))`. The double `String.fromCharCode` is almost certainly unintentional and the source of weak seeding. Unfortunately, this does not result in an error. Rather, it results most of the buffer containing zeros. Since we are masking with 0xFF, we can determine that 97% of the output from the LCG are converted to zeros. The only outputs that result in meaningful values are outputs 48 through 57, inclusive. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion. When it is not, the bytes are 0 through 9. In summary, there are three immediate concerns: 1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and `Math.random`. 2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available. 3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero. Due to the poor random number generation, keypair generates RSA keys that are relatively easy to guess. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim.
INFO
Published Date :
Oct. 11, 2021, 5:15 p.m.
Last Modified :
Nov. 21, 2024, 6:25 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.2
Exploitability Score :
3.9
Public PoC/Exploit Available at Github
CVE-2021-41117 has a 6 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2021-41117.
| URL | Resource |
|---|---|
| https://github.com/juliangruber/keypair/security/advisories/GHSA-3f99-hvg4-qjwj | Exploit Patch Third Party Advisory |
| https://securitylab.github.com/advisories/GHSL-2021-1012-keypair/ | Exploit Third Party Advisory |
| https://github.com/juliangruber/keypair/security/advisories/GHSA-3f99-hvg4-qjwj | Exploit Patch Third Party Advisory |
| https://securitylab.github.com/advisories/GHSL-2021-1012-keypair/ | Exploit Third Party Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Vulnerable version of keypair plus script to generate vulnerable keys
JavaScript Shell
All CVE - PoC in GitHub
poc proofofconcept tester allcve cvegithub cvenew cvepoc cveupdate
None
None
Private keys generated with vulnerable keypair versions (CVE-2021-41117)
Paranoid's library contains implementations of checks for well known weaknesses on cryptographic artifacts.
cryptography security
Python C++ Dockerfile
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2021-41117 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2021-41117 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://github.com/juliangruber/keypair/security/advisories/GHSA-3f99-hvg4-qjwj Added Reference https://securitylab.github.com/advisories/GHSL-2021-1012-keypair/ -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
Initial Analysis by [email protected]
Oct. 19, 2021
Action Type Old Value New Value Added CVSS V2 NIST (AV:N/AC:L/Au:N/C:P/I:P/A:N) Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Changed Reference Type https://github.com/juliangruber/keypair/security/advisories/GHSA-3f99-hvg4-qjwj No Types Assigned https://github.com/juliangruber/keypair/security/advisories/GHSA-3f99-hvg4-qjwj Exploit, Patch, Third Party Advisory Changed Reference Type https://securitylab.github.com/advisories/GHSL-2021-1012-keypair/ No Types Assigned https://securitylab.github.com/advisories/GHSL-2021-1012-keypair/ Exploit, Third Party Advisory Added CPE Configuration OR *cpe:2.3:a:keypair_project:keypair:*:*:*:*:*:*:*:* versions up to (excluding) 1.0.4
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2021-41117 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2021-41117
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
1.05 }} -0.07%
score
0.76364
percentile