CVE-2022-24772: Security vulnerability in RSA PKCS#1 signature verification in node-forge prior to version 1.3.

The node-forge library is a popular and widely used JavaScript implementation of Transport Layer Security (TLS). Recently, a vulnerability (CVE-2022-24772) was discovered in the RSA PKCS#1 v1.5 signature verification code, affecting all versions prior to 1.3.. This vulnerability allows attackers to forge signatures by modifying padding bytes and adding garbage data when a low public exponent is used. This blog post will outline the details of this vulnerability, provide code snippets to understand the issue, and guide you on how to mitigate this security risk in your applications.

Details of the vulnerability

The RSA PKCS#1 v1.5 signature scheme, used in node-forge for verifying digital signatures, fails to check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. In other words, the verification code processes extra data after the DigestInfo structure, allowing an attacker to remove padding bytes and add garbage data for forging a valid signature when a low public exponent is used.

To understand this vulnerability, let's first discuss how digital signatures are created and verified. In RSA-based digital signatures, a data digest (hash) is computed from the original data. The private key owner then encrypts this digest using their private key, producing a signature. To verify the signature, the recipient decrypts the signature using the signer's public key, resulting in a decrypted digest. The recipient also computes a digest of the original data and compares it with the decrypted digest. If the digests match, the signature is considered valid.

The security issue lies in the signature verification process. As node-forge does not properly handle garbage bytes, an attacker can exploit this vulnerability by carefully crafting a forged signature with extra bytes. When the recipient attempts to verify this signature, they may incorrectly confirm its validity due to the presence of garbage bytes.

Code snippet demonstrating the vulnerability

const forge = require('node-forge');

// Public key with low exponent (BAD)
const publicKeyPem = `-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----`;

const publicKey = forge.pki.publicKeyFromPem(publicKeyPem);

// Forged signature with garbage bytes (BAD)
const forgedSignature = '...';

// Message hash (digest)
const messageHash = '...';

// Note: Signature verification returns true, while it should fail (BAD)
const isValid = publicKey.verify(messageHash, forgedSignature);

console.log(Signature is valid: ${isValid});

Mitigations

The vulnerability is fixed in node-forge version 1.3.. Thus, to mitigate this issue, it is recommended that you update your library to the latest version.

npm install node-forge@latest

If you cannot update immediately, you should avoid using low-exponent public keys and refrain from using the affected RSA PKCS#1 v1.5 signature verification implementation in mission-critical applications or security-sensitive contexts.

Conclusion

In summary, CVE-2022-24772 is a critical security vulnerability affecting the node-forge library prior to version 1.3.. The vulnerability allows attackers to forge signatures by exploiting the improper handling of garbage bytes in the RSA PKCS#1 v1.5 signature verification code. To mitigate this issue, it is highly recommended to update your node-forge library to the latest version.

For more information and details on the vulnerability and its patch, refer to the following resources:

- NVD (National Vulnerability Database) - CVE-2022-24772
- GitHub - node-forge issue #960
- GitHub - node-forge commit fixing the vulnerability
- npm - node-forge version 1.3.

Remember to always keep your libraries up-to-date and be vigilant for newly discovered security vulnerabilities. Stay safe, and happy coding!

Timeline

Published on: 03/18/2022 14:15:00 UTC
Last modified on: 03/28/2022 14:10:00 UTC