search

vt-middleware / cryptacular

The friendly complement to the BouncyCastle crypto API for Java.
Other
39 stars 7 forks source link

Denial of Service in latest version [1.2.3] #52

Closed findneo closed 4 years ago

findneo commented 4 years ago

Please confirm if it is vulnerable. Mitre id: CVE-2020-7226 Reporter: findneo

[Suggested description] CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.

[Additional Information] any encoded network communication based on org.cryptacular.CiphertextHeader#decode(byte[]) is affected. xxx of new byte[xxx] can be controlled by client and can be up to 0x7ffffffd ,which caused 2G of memory consuming without demanding for any privilege.

one of the products using this vuln code is cas4.2.0. login flow of cas4.2.0 based on org.cryptacular.CiphertextHeader#decode(byte[]) ,Concretely speaking,the affected code is org.jasig.spring.webflow.plugin.EncryptedTranscoder#decode

besides,codebase for cas4.2.0 is https://github.com/apereo/cas-overlay-template/commit/7eaf9d7b5b94eb1ba5aea1b2cd6311a86bddd90b

[VulnerabilityType Other] Denial of Service

[Vendor of Product] http://www.cryptacular.org/

[Affected Product Code Base] cryptacular - 1.2.3

[Affected Component] org.cryptacular.CiphertextHeader#decode(byte[]) , https://github.com/vt-middleware/cryptacular/blob/master/src/main/java/org/cryptacular/CiphertextHeader.java#L153

[Attack Type] Remote

[Impact Denial of Service] true

[Attack Vectors] a crafted header of encoded data. e.g '\x00\x00\x00\x34\x7f\xff\xff\xfd'

serac commented 4 years ago

Confirmed. We're analyzing feasibility of a backward-compatible patch and will follow up with release schedule shortly.

serac commented 4 years ago

Resolved by #53.

ManjunathMS35 commented 4 years ago

Hi,

When is the fixed version planned to be released? and is there a plan to backport this patch to 1.1.x version?

Thanks, Manjunath

dfish3r commented 4 years ago

I'm hoping for a release in the next week. Have you done any testing with the latest snapshot?

dfish3r commented 4 years ago

1.2.4 has been released.

daniel-beck commented 4 years ago

Actual source code reference seems to be https://github.com/vt-middleware/cryptacular/blob/fafccd07ab1214e3588a35afe3c361519129605f/src/main/java/org/cryptacular/CiphertextHeader.java#L153

findneo commented 4 years ago

Actual source code reference seems to be

https://github.com/vt-middleware/cryptacular/blob/fafccd07ab1214e3588a35afe3c361519129605f/src/main/java/org/cryptacular/CiphertextHeader.java#L153

right . and here https://github.com/vt-middleware/cryptacular/blob/fafccd07ab1214e3588a35afe3c361519129605f/src/main/java/org/cryptacular/CiphertextHeader.java#L165