GHSA-346H-749J-R28W

Vulnerability from github – Published: 2024-04-25 18:31 – Updated: 2024-04-25 18:31
VLAI
Summary
PHPECC vulnerable to multiple cryptographic side-channel attacks
Details

ECDSA Canonicalization

PHPECC is vulnerable to malleable ECDSA signature attacks.

Constant-Time Signer

When generating a new ECDSA signature, the GMPMath adapter was used. This class wraps the GNU Multiple Precision arithmetic library (GMP), which does not aim to provide constant-time implementations of algorithms.

An attacker capable of triggering many signatures and studying the time it takes to perform each operation would be able to leak the secret number, k, and thereby learn the private key.

EcDH Timing Leaks

When calculating a shared secret using the EcDH class, the scalar-point multiplication is based on the arithmetic defined by the Point class.

Even though the library implements a Montgomery ladder, the add(), mul(), and getDouble() methods on the Point class are not constant-time. This means that your ECDH private keys are leaking information about each bit of your private key through a timing side-channel.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mdanter/ecc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-354"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T18:31:58Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### ECDSA Canonicalization\n\nPHPECC is vulnerable to malleable ECDSA signature attacks. \n\n### Constant-Time Signer\n\nWhen generating a new ECDSA signature, the GMPMath adapter was used. This class wraps the GNU Multiple Precision arithmetic library (GMP), which does not aim to provide constant-time implementations of algorithms.\n\nAn attacker capable of triggering many signatures and studying the time it takes to perform each operation would be able to leak the secret number, `k`, and thereby learn the private key.\n\n### EcDH Timing Leaks\n\nWhen calculating a shared secret using the `EcDH` class, the scalar-point multiplication is based on the arithmetic defined by the `Point` class.\n\nEven though the library implements a Montgomery ladder, the `add()`, `mul()`, and `getDouble()` methods on the `Point` class are not constant-time. This means that your ECDH private keys are leaking information about each bit of your private key through a timing side-channel.",
  "id": "GHSA-346h-749j-r28w",
  "modified": "2024-04-25T18:31:58Z",
  "published": "2024-04-25T18:31:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mdanter/ecc/2024-04-24.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paragonie/phpecc/releases/tag/v2.0.0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phpecc/phpecc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PHPECC vulnerable to multiple cryptographic side-channel attacks"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…