Timing Attack Affecting org.webjars.npm:node-forge package, versions (,0.6.33)
Threat Intelligence
Snyk has a published code exploit for this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGWEBJARSNPM-480045
- published26 Dec 2016
- disclosed25 Jun 2015
- creditDave Longley
Introduced: 25 Jun 2015
CVE NOT AVAILABLE CWE-208 (opens in a new tab)How to fix?
Upgrade node-forge to version 0.6.33 or higher.
Overview
node-forge is a JavaScript implementation of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Affected versions of the package are vulnerable to a Timing Attack due to unsafe HMAC comparison.
The HMAC algorithm produces a keyed message by pairing a hash function with a cryptographic key. Both the key and a message serve as input to this algorithm, while it outputs a fixed-length digest output which can be sent with the message. Anyone who knows the key can repeat the algorithm and compare their calculated HMAC with one they have received, to verify a message originated from someone with knowledge of the key and has not been tampered with.
The problem begins when trying to compare two HMACs. This is the part of code that handles the comparison:
if(byteArrayA.length != byteArrayB.length) { return false; }
for(int i = 0; i < byteArrayA.length; i++) {
if(byteArrayA[i] != byteArrayB[i]) { return false; }
}
return true;
The issue is that the more bytes match in the two arrays, the more comparisons are formed and the longer it'll take to return a result. This may allow attackers to brute force their way into the servers.