Skip to content

Fastly Compute@Edge JS Runtime has fixed random number seed during compilation

High severity GitHub Reviewed Published Sep 20, 2022 in fastly/js-compute-runtime • Updated Jan 30, 2023

Package

npm @fastly/js-compute (npm)

Affected versions

>= 0.4.0, < 0.5.3

Patched versions

0.5.3

Description

Impact

Math.random and crypto.getRandomValues methods failed to use sufficiently random values. The initial value to seed the CSPRNG (cryptographically secure pseudorandom number generator) was baked-in to the final WebAssembly module meaning the sequence of numbers generated was predictable for that specific WebAssembly module. An attacker with access to that same WebAssembly module that calls the affected methods could use the fixed seed to predict random numbers generated by these functions. This information could be used to bypass cryptographic security controls, for example to disclose sensitive data encrypted by functions that use these generators.

Patches

The problem has been fixed in version 0.5.3.

Corrected Math.random and crypto.getRandomValues methods to always use sufficiently random values. The previous versions would use a CSPRNG (cryptographically secure pseudorandom number generator) which we would seed with a random value. However, due to our use of Wizer, the initial value to seed the CSPRNG was baked-in to the final WebAssembly module meaning the sequence of numbers generated was predictable for that specific WebAssembly module. The new implementations of both Math.random and crypto.getRandomValues do not use a CSPRNG and instead pull random values from WASI (WebAssembly System Interface) libc’s random_get function, which is always a sufficiently random value.

Workarounds

There are no workarounds, you must upgrade to version 0.5.3 or later.

References

@elliottt elliottt published to fastly/js-compute-runtime Sep 20, 2022
Published by the National Vulnerability Database Sep 20, 2022
Published to the GitHub Advisory Database Sep 20, 2022
Reviewed Sep 20, 2022
Last updated Jan 30, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

0.229%
(62nd percentile)

Weaknesses

CVE ID

CVE-2022-39218

GHSA ID

GHSA-cmr8-5w4c-44v8

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.