Impact
Vulnerable jsrsasign will accept RSA signature (RSASSA-PKCS1-v1_5) with improper PKCS#1.5 padding.
Decoded RSA signature value consists following form:
- 0001(ff...(8 or more ffs)...ff)00[ASN.1 OF DigestInfo]
Its byte length shall be the same as RSA key length however such checking was not sufficient.
So following decoded signature can be accepted by mistake:
- (000 .. more than 3 zeros)(short "f"s)00[ASN.1 OF DigestInfo]
- 001f(one more long "f"s)00[ASN.1 OF DigestInfo]
To make crafted valid message for practical attack is very hard since it's still relies on hash algorithm collision.
Patches
Users validating RSA signature should upgrade to 10.2.0 or later.
Workarounds
There is no workaround. Not to use RSA signature validation in jsrsasign otherwise update to 10.2.0.
ACKNOWLEDGEMENT
Thanks to Mr. Daniel Yahyazadeh @yahyazadeh for reporting and analyzing this vulnerability.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30246
https://nvd.nist.gov/vuln/detail/CVE-2021-30246
https://tools.ietf.org/html/rfc8017#section-8.2
https://github.com/kjur/jsrsasign/releases/tag/10.2.0
#478
Impact
Vulnerable jsrsasign will accept RSA signature (RSASSA-PKCS1-v1_5) with improper PKCS#1.5 padding.
Decoded RSA signature value consists following form:
Its byte length shall be the same as RSA key length however such checking was not sufficient.
So following decoded signature can be accepted by mistake:
To make crafted valid message for practical attack is very hard since it's still relies on hash algorithm collision.
Patches
Users validating RSA signature should upgrade to 10.2.0 or later.
Workarounds
There is no workaround. Not to use RSA signature validation in jsrsasign otherwise update to 10.2.0.
ACKNOWLEDGEMENT
Thanks to Mr. Daniel Yahyazadeh @yahyazadeh for reporting and analyzing this vulnerability.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30246
https://nvd.nist.gov/vuln/detail/CVE-2021-30246
https://tools.ietf.org/html/rfc8017#section-8.2
https://github.com/kjur/jsrsasign/releases/tag/10.2.0
#478