CVE-2018-1000180
Insecure Randomness / Weak Cryptography vulnerability in bcprov-jdk14 (Maven)
What is CVE-2018-1000180 About?
Bouncy Castle BC 1.54 - 1.59 and BC-FJA 1.0.0, 1.0.1 have a flaw in the low-level interface to the RSA key pair generator. This vulnerability results in RSA key pairs generated with added certainty having fewer Miller-Rabin tests than expected. This oversight weakens the cryptographic strength of the generated keys, potentially making them easier to factor.
Affected Software
- org.bouncycastle:bcprov-jdk14
- <1.60
- org.bouncycastle:bcprov-jdk15
- <1.60
- org.bouncycastle:bcprov-jdk15on
- <1.60
Technical Details
The Bouncy Castle library, in the specified versions, implements a low-level interface for RSA key pair generation. When generating RSA keys and specifying a 'certainty' parameter (which dictates the number of Miller-Rabin primality tests to perform), the implementation does not always execute the expected number of tests. This means that the prime numbers p and q used to form the RSA modulus n=p*q might have a statistically higher chance of being composite rather than truly prime. If p or q are composite, the generated RSA key pair is cryptographically weaker and more susceptible to factorization attacks, compromising the confidentiality and integrity of data encrypted with such keys.
What is the Impact of CVE-2018-1000180?
Successful exploitation may allow attackers to compromise the confidentiality and integrity of data encrypted with affected RSA keys, potentially leading to unauthorized data decryption or forgery of digital signatures.
What is the Exploitability of CVE-2018-1000180?
Exploitation of this cryptographic vulnerability is highly complex, requiring advanced mathematical and computational capabilities. An attacker would first need to obtain an RSA public key generated by an affected Bouncy Castle version with the flawed certainty parameter. There are no direct authentication or privilege requirements to the library itself for exploitation, but obtaining the public key might require access to systems using it. This is a remote vulnerability if the public keys are publicly exposed (e.g., in certificates, TLS handshakes). The primary prerequisite is that the target system must be actively generating RSA keys using the vulnerable Bouncy Castle versions under specific low-level API calls. The likelihood of exploitation is generally low due to the computational resources required for factorization, but it significantly reduces the intended security margin of the RSA keys.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1000180?
Available Upgrade Options
- org.bouncycastle:bcprov-jdk15on
- <1.60 → Upgrade to 1.60
- org.bouncycastle:bcprov-jdk15
- <1.60 → Upgrade to 1.60
- org.bouncycastle:bcprov-jdk14
- <1.60 → Upgrade to 1.60
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://access.redhat.com/errata/RHSA-2018:2425
- https://github.com/bcgit/bc-java/wiki/CVE-2018-1000180
- https://github.com/advisories/GHSA-xqj7-j8j5-f2xr
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/errata/RHSA-2019:0877
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://access.redhat.com/errata/RHSA-2018:2424
- https://access.redhat.com/errata/RHSA-2018:2423
What are Similar Vulnerabilities to CVE-2018-1000180?
Similar Vulnerabilities: CVE-2008-0166 , CVE-2013-0169 , CVE-2014-3575 , CVE-2015-1785 , CVE-2019-15638
