ghsa-hj3v-m684-v259
Vulnerability from github
Published
2024-03-08 15:06
Modified
2024-03-11 03:37
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Summary
JWX vulnerable to a denial of service attack using compressed JWE message
Details

Summary

This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.

Details

The attacker needs to obtain a valid public key to compress the payload. It needs to be valid so that the recipient can use to successfully decompress the payload. Furthermore in context JWT processing in the v2 versions, the recipient must explicitly allow JWE handling .

The attacker then crafts a message with high compression ratio, e.g. a payload with very high frequency of repeating patterns that can decompress to a much larger size. If the payload is large enough, recipient who is decompressing the data will have to allocate a large amount of memory, which then can lead to a denial of service.

The original report includes a reference to [1], but there are some very subtle differences between this library and the aforementioned issue. The most important aspect is that the referenced issue focuses on JWT processing, whereas this library is intentionally divided into parts that comprise JOSE, i.e. JWT, JWS, JWE, JWK. In particular, v2 of this library does not attempt to handle JWT payload enveloped in a JWE message automatically (v1 attempted to do this automatically, but it was never stable).

Reflecting this subtle difference, the approach taken to mitigate this vulnerability is slightly different from the referenced issue. The referenced issue limits the size of JWT when parsing, but the fixes for this library limits the maximum size of the decompressed data when decrypting JWE messages. Therefore the fix in this library is applicable regardless of the usage context, and a limit is now imposed on the size of the message that our JWE implementation can handle.

Proof of Concept

Modified from the original report to fit the vulnerability better:

```go // The value below just needs to be "large enough" so that the it puts enough strain on the // recipient's environment. The value below is a safe size on my machine to run the test // without causing problems. When you increase the payload size, at some point the processing // will be slow enough to virtually freeze the program or cause a memory allocation error const payloadSize = 1 << 31

privkey, err := rsa.GenerateKey(rand.Reader, 2048) require.NoError(t, err, rsa.GenerateKey should succeed) pubkey := &privkey.PublicKey payload := strings.Repeat("x", payloadSize)

encrypted, err := jwe.Encrypt([]byte(payload), jwe.WithKey(jwa.RSA_OAEP, pubkey), jwe.WithContentEncryption("A128CBC-HS256"), jwe.WithCompress(jwa.Deflate)) require.NoError(t, err, jwe.Encrypt should succeed) _, err = jwe.Decrypt(encrypted, jwe.WithKey(jwa.RSA_OAEP, privkey)) // Will be allocating large amounts of memory require.Error(t, err, jwe.Decrypt should fail) ```

References

[1] CVE-2024-21319

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lestrrat-go/jwx/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lestrrat-go/jwx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-08T15:06:53Z",
    "nvd_published_at": "2024-03-09T01:15:06Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThis vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.\n\n### Details\n\n**The attacker needs to obtain a valid public key to compress the payload**. It needs to be valid so that the recipient can use to successfully decompress the payload. Furthermore in context JWT processing in the v2 versions, the recipient must explicitly allow JWE handling .\n\nThe attacker then crafts a message with high compression ratio, e.g. a payload with very high frequency of repeating patterns that can decompress to a much larger size.  If the payload is large enough, recipient who is decompressing the data will have to allocate a large amount of memory, which then can lead to a denial of service.\n\nThe original report includes a reference to [1], but there are some very subtle differences between this library and the aforementioned issue. The most important aspect is that the referenced issue focuses on JWT processing, whereas this library is intentionally divided into parts that comprise JOSE, i.e. JWT, JWS, JWE, JWK. In particular, v2 of this library does not attempt to handle JWT payload enveloped in a JWE message automatically (v1 attempted to do this automatically, but it was never stable).\n\nReflecting this subtle difference, the approach taken to mitigate this vulnerability is slightly different from the referenced issue. The referenced issue limits the size of JWT when parsing, but the fixes for this library limits the maximum size of the decompressed data when decrypting JWE messages. Therefore the fix in this library is applicable regardless of the usage context, and a limit is now imposed on the size of the message that our JWE implementation can handle.\n\n### Proof of Concept\n\nModified from the original report to fit the vulnerability better:\n\n```go\n// The value below just needs to be \"large enough\" so that the it puts enough strain on the\n// recipient\u0027s environment. The value below is a safe size on my machine to run the test\n// without causing problems. When you increase the payload size, at some point the processing\n// will be slow enough to virtually freeze the program or cause a memory allocation error\nconst payloadSize = 1 \u003c\u003c 31\n\nprivkey, err := rsa.GenerateKey(rand.Reader, 2048)\nrequire.NoError(t, err, `rsa.GenerateKey should succeed`)\npubkey := \u0026privkey.PublicKey\npayload := strings.Repeat(\"x\", payloadSize)\n\nencrypted, err := jwe.Encrypt([]byte(payload), jwe.WithKey(jwa.RSA_OAEP, pubkey), jwe.WithContentEncryption(\"A128CBC-HS256\"), jwe.WithCompress(jwa.Deflate))\nrequire.NoError(t, err, `jwe.Encrypt should succeed`)\n_, err = jwe.Decrypt(encrypted, jwe.WithKey(jwa.RSA_OAEP, privkey)) // Will be allocating large amounts of memory\nrequire.Error(t, err, `jwe.Decrypt should fail`)\n```\n\n###  References\n\n[1] [CVE-2024-21319](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2)",
  "id": "GHSA-hj3v-m684-v259",
  "modified": "2024-03-11T03:37:15Z",
  "published": "2024-03-08T15:06:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lestrrat-go/jwx/commit/d01027d74c7376d66037a10f4f64af9af26a7e34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lestrrat-go/jwx/commit/d43f2ceb7f0c13714dfe8854d6439766e86faa76"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lestrrat-go/jwx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "JWX vulnerable to a denial of service attack using compressed JWE message"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.