We found cryptography bugs in the elliptic library using Wycheproof
3 days ago
- #Cryptography
- #Security Vulnerabilities
- #Elliptic Curve
- Trail of Bits disclosed two vulnerabilities in the elliptic JavaScript library, used by 3,000 projects and downloaded over 10 million times weekly.
- Vulnerabilities include missing modular reductions and a length check, leading to potential signature forgery or verification failures.
- One vulnerability remains unpatched after a 90-day disclosure window ending in October 2024.
- Wycheproof, a cryptographic testing tool, was used to discover these vulnerabilities.
- Five vulnerabilities were identified, resulting in five CVEs, with three being minor parsing issues and two more severe.
- CVE-2024-48949 involves EdDSA signature malleability due to a missing bounds check, allowing signature forgery.
- CVE-2024-48948 involves ECDSA signature verification errors when hashes have leading zeros, causing valid signatures to be rejected.
- Continuous testing with tools like Wycheproof is recommended to maintain cryptographic library security.
- Disclosure timeline details the process from discovery to public disclosure, including interactions with library maintainers.