Vulnerability-Lookup

CVE-2023-46133 (GCVE-0-2023-46133)

Vulnerability from cvelistv5 – Published: 2023-10-25 20:48 – Updated: 2024-09-10 14:08

Title

crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

Summary

CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-328 - Use of Weak Hash
CWE-916 - Use of Password Hash With Insufficient Computational Effort

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/entronad/crypto-es/security/ad…	x_refsource_CONFIRM
https://github.com/entronad/crypto-es/commit/d506…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
entronad	crypto-es	Affected: < 2.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:37:39.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h"
          },
          {
            "name": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:entronad:cryptoes:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "cryptoes",
            "vendor": "entronad",
            "versions": [
              {
                "lessThan": "2.1.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-46133",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T13:59:03.749598Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-10T14:08:02.138Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "crypto-es",
          "vendor": "entronad",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-328",
              "description": "CWE-328: Use of Weak Hash",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-916",
              "description": "CWE-916: Use of Password Hash With Insufficient Computational Effort",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-25T20:49:28.040Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h"
        },
        {
          "name": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757"
        }
      ],
      "source": {
        "advisory": "GHSA-mpj8-q39x-wq5h",
        "discovery": "UNKNOWN"
      },
      "title": "crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-46133",
    "datePublished": "2023-10-25T20:48:14.285Z",
    "dateReserved": "2023-10-16T17:51:35.573Z",
    "dateUpdated": "2024-09-10T14:08:02.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-46133",
      "date": "2026-05-25",
      "epss": "0.00182",
      "percentile": "0.3953"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-46133\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-25T21:15:10.093\",\"lastModified\":\"2024-11-21T08:27:57.017\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations.\"},{\"lang\":\"es\",\"value\":\"CryptoES es una librer\u00eda de algoritmos de criptograf\u00eda compatible con ES6 y TypeScript. Antes de la versi\u00f3n 2.1.0, CryptoES PBKDF2 es 1000 veces m\u00e1s d\u00e9bil de lo especificado originalmente en 1993, y al menos 1.300.000 veces m\u00e1s d\u00e9bil que el est\u00e1ndar actual de la industria. Esto se debe a que su valor predeterminado es SHA1, un algoritmo hash criptogr\u00e1fico considerado inseguro desde al menos 2005, y su valor predeterminado es una sola iteraci\u00f3n, un valor de \\\"fuerza\\\" o \\\"dificultad\\\" especificado en 1000 cuando se especific\u00f3 en 1993. PBKDF2 se basa en el recuento de iteraciones como una contramedida a los ataques de preimagen y colisi\u00f3n. Si se utiliza para proteger contrase\u00f1as, el impacto es alto. Si se utiliza para generar firmas, el impacto es alto. La versi\u00f3n 2.1.0 contiene un parche para este problema. Como workaround, configure CryptoES para usar SHA256 con al menos 250 000 iteraciones.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-328\"},{\"lang\":\"en\",\"value\":\"CWE-916\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-327\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:entronad:cryptoes:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"2.1.0\",\"matchCriteriaId\":\"418D3686-F244-48BA-AB46-237018709069\"}]}]}],\"references\":[{\"url\":\"https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h\", \"name\": \"https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757\", \"name\": \"https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T20:37:39.621Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-46133\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T13:59:03.749598Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:entronad:cryptoes:*:*:*:*:*:*:*:*\"], \"vendor\": \"entronad\", \"product\": \"cryptoes\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.1.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-10T14:07:56.721Z\"}}], \"cna\": {\"title\": \"crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard\", \"source\": {\"advisory\": \"GHSA-mpj8-q39x-wq5h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"entronad\", \"product\": \"crypto-es\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h\", \"name\": \"https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757\", \"name\": \"https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-328\", \"description\": \"CWE-328: Use of Weak Hash\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-916\", \"description\": \"CWE-916: Use of Password Hash With Insufficient Computational Effort\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-10-25T20:49:28.040Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-46133\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-10T14:08:02.138Z\", \"dateReserved\": \"2023-10-16T17:51:35.573Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-10-25T20:48:14.285Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-46133

Vulnerability from fkie_nvd - Published: 2023-10-25 21:15 - Updated: 2024-11-21 08:27

Severity

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757	Patch
security-advisories@github.com	https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	entronad	cryptoes	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:entronad:cryptoes:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "418D3686-F244-48BA-AB46-237018709069",
              "versionEndExcluding": "2.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations."
    },
    {
      "lang": "es",
      "value": "CryptoES es una librer\u00eda de algoritmos de criptograf\u00eda compatible con ES6 y TypeScript. Antes de la versi\u00f3n 2.1.0, CryptoES PBKDF2 es 1000 veces m\u00e1s d\u00e9bil de lo especificado originalmente en 1993, y al menos 1.300.000 veces m\u00e1s d\u00e9bil que el est\u00e1ndar actual de la industria. Esto se debe a que su valor predeterminado es SHA1, un algoritmo hash criptogr\u00e1fico considerado inseguro desde al menos 2005, y su valor predeterminado es una sola iteraci\u00f3n, un valor de \"fuerza\" o \"dificultad\" especificado en 1000 cuando se especific\u00f3 en 1993. PBKDF2 se basa en el recuento de iteraciones como una contramedida a los ataques de preimagen y colisi\u00f3n. Si se utiliza para proteger contrase\u00f1as, el impacto es alto. Si se utiliza para generar firmas, el impacto es alto. La versi\u00f3n 2.1.0 contiene un parche para este problema. Como workaround, configure CryptoES para usar SHA256 con al menos 250 000 iteraciones."
    }
  ],
  "id": "CVE-2023-46133",
  "lastModified": "2024-11-21T08:27:57.017",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-25T21:15:10.093",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-328"
        },
        {
          "lang": "en",
          "value": "CWE-916"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-MPJ8-Q39X-WQ5H

Vulnerability from github – Published: 2023-10-25 21:14 – Updated: 2023-11-08 17:43

Summary

crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

Details

Impact

Summary

Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both (1) defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005 and (2) defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. Remediation of this issue might be very difficult, as the changes required to fix this issue would change the output of this method and thus break most, if not all, current uses of this method as configured by default.

Potential Impact:

If used to protect passwords, the impact is high.
If used to generate signatures, the impact is high.

Probability / risk analysis / attack enumeration:

[For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has identical cryptographic signature to any chosen known value.
Due to the length extension attack on SHA1, we can create a value that has identical signature to any unknown value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies 'salt' or 'pepper' or any other secret unknown to the attacker. It will still create an identical signature.

[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust, Gaëtan Leurent and Thomas Peyrin"

crypto-js has 10,642 public users as displayed on NPM, today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.

A very rough GitHub search shows 432 files cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.

Affected versions

All versions are impacted. This code has been the same since crypto-js was first created.

Further Cryptanalysis

The issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.

Consider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.

To encrypt the user password via symmetric encryption we might do encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper)). By this means, we would, in theory, create an encryption_key that can be determined from the public username, but which requires the secret salt_or_pepper to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.

Because of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker does not need to know salt_or_pepper to decrypt their account data, only their public username.

Description

PBKDF2 is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).

Unlike the modern webcrypto standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 1993, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, OWASP recommends 1,300,000:

https://github.com/entronad/crypto-es/blob/aa48d48413549addc06cd737a272466d5fc1b5e6/lib/pbkdf2.js#L35-L39

Workarounds

Consult the OWASP PBKDF2 Cheatsheet. Configure to use SHA256 with at least 250,000 iterations.

Coordinated disclosure

This issue was simultaneously submitted to crypto-js and crypto-es on the 23rd of October 2023.

Caveats

This issue was found in a security review that was not scoped to crypto-es. This report is not an indication that crypto-es has undergone a formal security assessment by the author.

Severity

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "crypto-es"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-328",
      "CWE-916"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-25T21:14:44Z",
    "nvd_published_at": "2023-10-25T21:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n#### Summary\nCrypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks. Remediation of this issue might be very difficult, as the changes required to fix this issue would change the output of this method and thus break most, if not all, current uses of this method as configured by default.\n\nPotential Impact:\n\n1. If used to protect passwords, the impact is high.\n2. If used to generate signatures, the impact is high.\n\nProbability / risk analysis / attack enumeration:\n\n1. [For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has _identical cryptographic signature_ to any chosen known value.\n4. Due to the [length extension attack] on SHA1, we can create a value that has identical signature to any _unknown_ value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies \u0027[salt][cryptographic salt]\u0027 or \u0027[pepper][cryptographic pepper]\u0027 or any other secret unknown to the attacker. It will still create an identical signature.\n\n[cryptographic salt]: https://en.wikipedia.org/wiki/Salt_(cryptography) \"Salt (cryptography), Wikipedia\"\n[cryptographic pepper]: https://en.wikipedia.org/wiki/Pepper_(cryptography) \"Pepper (cryptography), Wikipedia\"\n[SHA1 wiki]: https://en.wikipedia.org/wiki/SHA-1 \"SHA-1, Wikipedia\"\n[Cryptanalysis of SHA-1]: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html \"Cryptanalysis of SHA-1\"\n[one iteration src]: https://github.com/brix/crypto-js/blob/1da3dabf93f0a0435c47627d6f171ad25f452012/src/pbkdf2.js#L22-L26 \"crypto-js/src/pbkdf2.js lines 22-26\"\n[collision attack]: https://en.wikipedia.org/wiki/Hash_collision \"Collision Attack, Wikipedia\"\n[preimage attack]: https://en.wikipedia.org/wiki/Preimage_attack \"Preimage Attack, Wikipedia\"\n[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf \"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1\nand Application to the PGP Web of Trust, Ga\u00ebtan Leurent and Thomas Peyrin\"\n[Length Extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack \"Length extension attack, Wikipedia\"\n\ncrypto-js has 10,642 public users [as displayed on NPM][crypto-js, NPM], today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.\n\nA very rough GitHub search[ shows 432 files][GitHub search: affected files] cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.\n\n[OWASP PBKDF2 Cheatsheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 \"OWASP PBKDF2 Cheatsheet\"\n[crypto-js, NPM]: https://www.npmjs.com/package/crypto-js \"crypto-js on NPM\"\n[GitHub search: affected files]: https://github.com/search?q=%22crypto-js%22+AND+pbkdf2+AND+%28lang%3AJavaScript+OR+lang%3ATypeScript%29++NOT+%22iterations%22\u0026type=code\u0026p=2 \"GitHub search: crypto-js AND pbkdf2 AND (lang:JavaScript OR lang:TypeScript)  NOT iterations\"\n\n#### Affected versions\nAll versions are impacted. This code has been the same since crypto-js was first created.\n\n#### Further Cryptanalysis\n\nThe issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.\n\nConsider a scheme in which a secret is created for a user\u0027s username, and that secret is used to protect e.g. their passwords. Let\u0027s say that password is \u0027fake-password\u0027, and their username is \u0027example-username\u0027.\n\nTo encrypt the user password via symmetric encryption we might do `encrypt(plaintext: \u0027fake-password\u0027, encryption_key: cryptojs.pbkdf2(value: \u0027example username\u0027 + salt_or_pepper))`. By this means, we would, in theory, create an `encryption_key` that can be determined from the public username, but which requires the secret `salt_or_pepper` to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt \u0026 scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.\n\nBecause of the length extension issue, if the attacker obtains (via attack 1), a collision with \u0027example username\u0027, the attacker _does not need to know_ `salt_or_pepper` to decrypt their account data, only their public username.\n\n### Description\n\nPBKDF2 is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password\u0027s entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).\n\nUnlike the modern [webcrypto](https://w3c.github.io/webcrypto/#pbkdf2-operations) standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 1993, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, [OWASP recommends 1,300,000][OWASP PBKDF2 Cheatsheet]:\n\nhttps://github.com/entronad/crypto-es/blob/aa48d48413549addc06cd737a272466d5fc1b5e6/lib/pbkdf2.js#L35-L39\n\n### Workarounds\nConsult the [OWASP PBKDF2 Cheatsheet]. Configure to use SHA256 with at least 250,000 iterations.\n\n### Coordinated disclosure\nThis issue was simultaneously submitted to [crypto-js](https://github.com/brix/crypto-js) and [crypto-es](https://github.com/entronad/crypto-es) on the 23rd of October 2023.\n\n### Caveats\n\nThis issue was found in a security review that was _not_ scoped to crypto-es. This report is not an indication that crypto-es has undergone a formal security assessment by the author.\n\n\n",
  "id": "GHSA-mpj8-q39x-wq5h",
  "modified": "2023-11-08T17:43:32Z",
  "published": "2023-10-25T21:14:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/entronad/crypto-es"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard"
}

GSD-2023-46133

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-46133

Aliases

CVE-2023-46133

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-46133",
    "id": "GSD-2023-46133"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-46133"
      ],
      "details": "CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations.",
      "id": "GSD-2023-46133",
      "modified": "2023-12-13T01:20:53.368004Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-46133",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "crypto-es",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 2.1.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "entronad"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-328",
                "lang": "eng",
                "value": "CWE-328: Use of Weak Hash"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-916",
                "lang": "eng",
                "value": "CWE-916: Use of Password Hash With Insufficient Computational Effort"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h",
            "refsource": "MISC",
            "url": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h"
          },
          {
            "name": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757",
            "refsource": "MISC",
            "url": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-mpj8-q39x-wq5h",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:entronad:cryptoes:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-46133"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-327"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757"
            },
            {
              "name": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-11-08T14:14Z",
      "publishedDate": "2023-10-25T21:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-46133 (GCVE-0-2023-46133)

FKIE_CVE-2023-46133

GHSA-MPJ8-Q39X-WQ5H

Impact

Summary

Affected versions

Further Cryptanalysis

Description

Workarounds

Coordinated disclosure

Caveats

GSD-2023-46133

Tags

Sightings

Nomenclature