CVE-2016-1000338
ASN.1 encoding vulnerability in bcprov-jdk14 (Maven)
What is CVE-2016-1000338 About?
This vulnerability in Bouncy Castle JCE Provider 1.55 and earlier involves DSA signature verification not fully validating ASN.1 encoding. It allows injection of extra elements into the signature sequence, leading to the validation of 'invisible' data. Exploitation is complex, requiring specific cryptographic knowledge and manipulation.
Affected Software
- org.bouncycastle:bcprov-jdk14
- >1.38, <1.56
- org.bouncycastle:bcprov-jdk15
- >1.38, <1.56
- org.bouncycastle:bcprov-jdk15on
- >1.38, <1.56
Technical Details
The vulnerability in Bouncy Castle JCE Provider versions 1.55 and earlier relates to the Digital Signature Algorithm (DSA) verification process. Specifically, the DSA implementation does not thoroughly validate the ASN.1 (Abstract Syntax Notation One) encoding of a signature during verification. ASN.1 defines data structures, and signatures are typically represented as a sequence of integers (R and S components). The flaw allows an attacker to inject additional, benign-looking elements into the ASN.1 sequence that makes up the signature. Despite these extra elements, the flawed verification process will still deem the signature valid. This effectively enables an attacker to embed 'invisible' data into a signed structure without invalidating the signature, which could be used for covert communication, data exfiltration, or to bypass integrity checks if an application relies on precise ASN.1 structure validation beyond just the R and S components.
What is the Impact of CVE-2016-1000338?
Successful exploitation may allow attackers to embed 'invisible' data within digitally signed documents or communications without invalidating the signature, potentially leading to covert information transfer, bypassing integrity checks, or altering the perceived content of signed messages.
What is the Exploitability of CVE-2016-1000338?
Exploitation complexity is high, requiring a deep understanding of ASN.1 encoding, DSA signatures, and cryptographic manipulation techniques. No authentication or privileged access is directly required, but the attacker must have the ability to generate or modify DSA signatures that will be processed by a vulnerable Bouncy Castle implementation. The attack could be either local or remote, depending on where the vulnerable signature verification occurs within a system. Prerequisites include the system relying on Bouncy Castle JCE Provider versions 1.55 or earlier for DSA signature verification. There are no specific special conditions other than the need to craft a precisely malformed ASN.1 signature. The risk factors increase if a system's security solely relies on the cryptographic validity of signatures without additional checks on the exact ASN.1 structure, making it susceptible to extraneous data within valid signatures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-1000338?
Available Upgrade Options
- org.bouncycastle:bcprov-jdk15
- >1.38, <1.56 → Upgrade to 1.56
- org.bouncycastle:bcprov-jdk14
- >1.38, <1.56 → Upgrade to 1.56
- org.bouncycastle:bcprov-jdk15on
- >1.38, <1.56 → Upgrade to 1.56
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000338
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/errata/RHSA-2018:2669
- https://osv.dev/vulnerability/GHSA-4vhj-98r6-424h
- https://github.com/bcgit/bc-java
- https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
- https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0
- https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
- https://access.redhat.com/errata/RHSA-2018:2927
What are Similar Vulnerabilities to CVE-2016-1000338?
Similar Vulnerabilities: CVE-2021-3997 , CVE-2019-1563 , CVE-2023-34462 , CVE-2023-34463 , CVE-2023-3817
