Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cleanup RSA PKCS#1 v1.5 signature verification (CVE-2021-30130) #1635

Merged
merged 16 commits into from Apr 6, 2021

Conversation

terrafrost
Copy link
Member

No description provided.

@terrafrost terrafrost merged commit 05550b9 into phpseclib:1.0 Apr 6, 2021
sumityadav added a commit to sumityadav/security-advisories that referenced this pull request Apr 13, 2021
@MrPetovan
Copy link

Is this going to be fixed in the version 2.0 branch? We're using version 2.0.4 over at https://github.com/friendica/friendica-addons and I would prefer not have to either downgrade to version 2.0.31 or figure out if we can use version 3.0.7.

@terrafrost
Copy link
Member Author

terrafrost commented Apr 26, 2021

@MrPetovan :

First, the fix is in the 2.0 branch. The release that contains this has been tagged as 2.0.31, which is not a downgrade from 2.0.4 - it's an upgrade.

Second, the only vulnerabilities are in the 3.0 branch. Quoting the disclosure (which I can send to you if you'd like; I kinda wish the author would make it public but whatever):

In short, we have found 4 leniencies in phpseclib v3 (relaxed mode)'s RSA PKCS#1 v1.5 signature verification (2 vulnerabilities with Bleichenbacher-style low public exponent RSA Signature Forgery and 2 bugs causing interoperability issue [accepting invalid signature value that should have been rejected]). We have also found incompatibility issue in phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 signature verification suffering from rejecting valid signatures whose encoded message uses implicit hash algorithm's NULL parameter.

So to sum it up, there were five issues total.

  1. Two were vulnerabilities in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 mode (which doesn't exist in 2.0)
  2. Two were bugs in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 mode (which again, doesn't exist in 2.0)
  3. One was a bug in v1.0, v2.0 and v3.0.

In other words, v2.0 does not have a vulnerability, according to the original paper.

@MrPetovan
Copy link

Thank you so much for the answer, for some reason I read 2.0.31 as 2.0.3.1 which would have made it a downgrade from 2.0.4. Sorry about the confusion.

@terrafrost
Copy link
Member Author

Altho phpseclib isn't mentioned in it, https://myweb.uiowa.edu/yahyazadeh/files/pkcs1v1_5-ndss19.pdf talks about the kinds of issues that this PR addresses. The reporter of these issues is one of the authors of that paper

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants