Overview
About vulnerability
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of ‘k’ (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of ‘k’ is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.
This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).
Details
- Affected product:
- Acorn , AlmaLinux 9.2 ESU , Next.js , Node.js , TuxCare 9.6 ESU , autodll-webpack-plugin , babel-loader , boxen , browserify-sign , cache-loader , check-updates , createecdh , cross-spawn , crypto-browserify , elliptic , execa , extract-text-webpack-plugin , file-loader , friendly-errors-webpack-plugin , html-webpack-plugin , jpm , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , loopback-phase , ng-packagr , npm , npx , nuxt , optimize-css-assets-webpack-plugin , os-locale , preload-webpack-plugin , progress-bar-webpack-plugin , script-ext-html-webpack-plugin , semantic-release , semver , strong-globalize , strong-remoting , term-size , terser-webpack-plugin , uglifyjs-webpack-plugin , update-notifier , webpack , webpack-dev-middleware , webpack-dev-server , webpack-subresource-integrity , webpackbar , yargs
- Affected packages:
- elliptic (+124 more)
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of ‘k’ (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of ‘k’ is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.
This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).