CVE-2022-24884 - Zero Signature Forgery Vulnerability in ecdsautils

A critical vulnerability, CVE-2022-24884, has been discovered in ecdsautils, a collection of utilities for working with ECDSA (Elliptic Curve Digital Signature Algorithm) cryptography. This vulnerability allows attackers to forge signatures by exploiting a weakness in the handling of signature values (r and s) during the verification process. Both the ecdsautil verify command-line interface (CLI) utility and the libecdsautil library are affected. This issue has been addressed in the latest release of ecdsautils .4.1.

Exploit Details

The vulnerability stems from the functions ecdsa_verify_prepare_legacy() and ecdsa_verify_list_legacy() in ecdsautils, which do not properly validate whether the provided signature values r and s are non-zero. As a result, a signature consisting only of zeroes is deemed valid, making it trivial for an attacker to forge signatures.

Furthermore, the ecdsa_verify_list_legacy() function is unable to mitigate this vulnerability, as it will accept an arbitrary number of such zero-filled, forged signatures when verifying multiple signatures from different public keys.

Here's a code snippet that demonstrates the vulnerable ecdsa_verify_prepare_legacy() implementation:

int ecdsa_verify_prepare_legacy(const secp256k1_context *ctx, const unsigned char *msg32, const unsigned char *sig, const unsigned pu[64])
{
    secp256k1_ecdsa_signature sig_;

    if (!secp256k1_ecdsa_signature_parse_compact(ctx, &sig_, sig))
        return ;

    		...
    return 1;
}

Proposed Fix

To patch this vulnerability, make sure to validate the signature values r and s as non-zero before proceeding with the verification process.

Affected Versions

All older versions of ecdsautils, including versions before the split into a library and a CLI utility, are vulnerable to this issue. To mitigate the risks associated with this vulnerability, users should update ecdsautils to version .4.1 or higher.

The following links provide additional information on CVE-2022-24884 and the ecdsautils project

1. [CVE-2022-24884] (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24884)
2. [ecdsautils GitHub Repository] (https://github.com/bitcointrezor/trezor-crypto/tree/master/tools/ecdsautil)
3. [ECDSA (Elliptic Curve Digital Signature Algorithm) Wikipedia page] (https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm)

Conclusion

CVE-2022-24884 is a critical vulnerability in ecdsautils that allows attackers to forge signatures using zero-filled values. By updating ecdsautils to version .4.1 or higher, users can ensure they are protected against this exploit.

Timeline

Published on: 05/06/2022 00:15:00 UTC
Last modified on: 05/16/2022 18:08:00 UTC