Fluid Attacks Database

Description

RSA PKCS#1 decryption vulnerability with prepending zeros in jsrsasign

Impact

Jsrsasign supports RSA PKCS#1 v1.5 (i.e. RSAES-PKCS1-v1_5) and RSA-OAEP encryption and decryption. Its encrypted message is represented as BigInteger. When there is a valid encrypted message, a crafted message with prepending zeros can be decrypted by this vulnerability.

If you don't use RSA PKCS1-v1_5 or RSA-OAEP decryption, this vulnerability is not affected.

Risk to forge contents of encrypted message is very low.

Risk to raise memory corruption is low since jsrsasign uses BigInteger class.

Patches

Users using RSA PKCS1-v1_5 or RSA-OAEP decryption should upgrade to 8.0.18.

Workarounds

Reject RSA PKCS1-v1_5 or RSA-OAEP encrypted message with unnecessary prepending zeros.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-14967 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14967 https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html#.decrypt https://github.com/kjur/jsrsasign/issues/439

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jsrsasign	>=0 <8.0.18	8.0.18

Aliases

1. CVE-2020-149672. NVD-2020-149673. OSV-2020-149674. GHSA-xxxq-chmp-67g45. GCVE-2020-14967

References

1. https://github.com/kjur/jsrsasign/security/advisories/GHSA-xxxq-chmp-67g42. https://github.com/kjur/jsrsasign/issues/4393. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-149674. https://github.com/kjur/jsrsasign/releases/tag/8.0.175. https://github.com/kjur/jsrsasign/releases/tag/8.0.186. https://kjur.github.io/jsrsasign7. https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html#.decrypt8. https://security.netapp.com/advisory/ntap-20200724-00019. https://www.npmjs.com/package/jsrsasign