Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-41117

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Published: Oct 11, 2021 | Modified: Oct 19, 2021
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
6.4 MEDIUM
AV:N/AC:L/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-41117
CWEhttps://cwe.mitre.org/data/definitions/335.html

keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output. Issue 1: Poor random number generation (GHSL-2021-1012). The library does not rely entirely on a platform provided CSPRNG, rather, it uses its own counter-based CMAC approach. Where things go wrong is seeding the CMAC implementation with true random data in the function defaultSeedFile. In order to seed the AES-CMAC generator, the library will take two different approaches depending on the JavaScript execution environment. In a browser, the library will use window.crypto.getRandomValues(). However, in a nodeJS execution environment, the window object is not defined, so it goes down a much less secure solution, also of which has a bug in it. It does look like the library tries to use nodes CSPRNG when possible unfortunately, it looks like the crypto object is null because a variable was declared with the same name, and set to null. So the node CSPRNG path is never taken. However, when window.crypto.getRandomValues() is not available, a Lehmer LCG random number generator is used to seed the CMAC counter, and the LCG is seeded with Math.random. While this is poor and would likely qualify in a security bug in itself, it does not explain the extreme frequency in which duplicate keys occur. The main flaw: The output from the Lehmer LCG is encoded incorrectly. The specific [line][https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L1008] with the flaw is: b.putByte(String.fromCharCode(next & 0xFF)) The definition of putByte is util.ByteBuffer.prototype.putByte = function(b) {this.data += String.fromCharCode(b);};. Simplified, this is String.fromCharCode(String.fromCharCode(next & 0xFF)). The double String.fromCharCode is almost certainly unintentional and the source of weak seeding. Unfortunately, this does not result in an error. Rather, it results most of the buffer containing zeros. Since we are masking with 0xFF, we can determine that 97% of the output from the LCG are converted to zeros. The only outputs that result in meaningful values are outputs 48 through 57, inclusive. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion. When it is not, the bytes are 0 through 9. In summary, there are three immediate concerns: 1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and Math.random. 2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available. 3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero. Due to the poor random number generation, keypair generates RSA keys that are relatively easy to guess. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim.

Weakness

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Affected Software

Name Vendor Start Version End Version
Keypair Keypair_project * 1.0.4 (excluding)

Extended Description

       PRNGs are deterministic and, while their output appears
       random, they cannot actually create entropy. They rely on
       cryptographically secure and unique seeds for entropy so
       proper seeding is critical to the secure operation of the
       PRNG.

       Management of seeds could be broken down into two main areas:
	   

		 
		 
	   

           PRNGs require a seed as input to generate a stream of
           numbers that are functionally indistinguishable from
           random numbers.  While the output is, in many cases,
           sufficient for cryptographic uses, the output of any
           PRNG is directly determined by the seed provided as
           input. If the seed can be ascertained by a third party,
           the entire output of the PRNG can be made known to
           them. As such, the seed should be kept secret and
           should ideally not be able to be guessed. For example,
           the current time may be a poor seed. Knowing the
           approximate time the PRNG was seeded greatly reduces
           the possible key space.
		 

           Seeds do not necessarily need to be unique, but reusing seeds may open up attacks if the seed is discovered.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use