logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-g9mp-8g3h-3c5c github.com/flynn/noise

Package

Manager: go
Name: github.com/flynn/noise
Vulnerable Version: >=0 <1.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

flynn/noise has improper nonce handling yielding potential state DoS The Go package `github.com/flynn/noise`, a [Noise Protocol](https://noiseprotocol.org/) implementation, has two bugs in nonce handling in versions prior to v1.0.0. ### Issue 1: Potential nonce overflow If 2<sup>64</sup> (~18.4 quintillion) or more messages are encrypted with `Encrypt` after handshaking, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce, resulting in a potentially catastrophic weakening of the security properties of the symmetric cipher. This has been resolved in the patched version by returning `ErrMaxNonce` from the `CipherState` `Encrypt` and `Decrypt` methods before the reserved maximum nonce is reached. If this error is encountered, the program should handshake again to start with a fresh `CipherState`. ### Issue 2: Potential denial of service via invalid ciphertext If an attacker sends an invalid ciphertext into one peer's `Decrypt`, the nonce is incremented unconditionally. This causes a desync of the `CipherState` due to a nonce mismatch between the peers, resulting in a failure to decrypt all subsequent messages. A new handshake will be required to establish a new `CipherState`. This has been resolved in the patched version by returning authentication errors from `Decrypt` before incrementing the nonce. ### Patches Fixed in https://github.com/flynn/noise/pull/44, tagged as v1.0.0. ### Acknowledgements These issues were discovered during [an audit](https://www.bamsoftware.com/software/dnstt/cure53-turbotunnel-2021.pdf) of a user of this package ([dnstt](https://www.bamsoftware.com/software/dnstt/)). Thanks to UC Berkley for commissioning the audit, and to David Fifield and Nathan Brown for their collaboration on the fixes. The fixed issues are noted in the audit as: * UCB-02-003 Potential nonce overflow in Noise protocol * UCB-02-006 DoS due to unconditional nonce increment

Metadata

Created: 2022-02-15T01:57:18Z
Modified: 2023-08-29T20:07:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-g9mp-8g3h-3c5c/GHSA-g9mp-8g3h-3c5c.json
CWE IDs: []
Alternative ID: N/A
Finding: F052
Auto approve: 1