Skip to content

ECDSA signature vulnerability of Minerva timing attack in jsrsasign

Moderate severity GitHub Reviewed Published Jun 28, 2020 in kjur/jsrsasign • Updated Jan 9, 2023

Package

npm jsrsasign (npm)

Affected versions

>= 4.0.0, < 8.0.13

Patched versions

8.0.13

Description

Impact

ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign.

Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits of scalar. In jsrsasign 8.0.13 or later, execution time of EC point and scalar multiplication is almost constant and fixed for the issue.

  • Minerva is one of timing attack or side channel attack for EC.
  • If you don't use ECDSA class, you are not affected the vulnerability.
  • The vulnerability is that attacker may guess private key by checking processing time of EC key generation or ECDSA signing.
  • The cause issue is that point multiplication processing time in ECDSA signing is depends on private key value.
  • After 8.0.13, processing time of point multiplication in ECDSA signing have become constant for key value in theory.

Patches

Users using ECDSA signature generation should upgrade to 8.0.13 or later.

Workarounds

There is no workarounds in jsrsasign. Update jsrsasign or use other ECDSA library.

ACKNOWLEDGEMENT

Thanks to Jan Jancar @J08nY, Petr Svenda and Vladimir Sedlacek of Masaryk University in Czech Republic to find and report this vulnerability.

References

https://minerva.crocs.fi.muni.cz/
https://www.npmjs.com/advisories/1505
kjur/jsrsasign#411

References

@kjur kjur published to kjur/jsrsasign Jun 28, 2020
Reviewed Jun 29, 2020
Published to the GitHub Advisory Database Jun 30, 2020
Last updated Jan 9, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-g753-jx37-7xwh

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.