CVE-2022-24772: Signature Forgery vulnerability in node-forge (npm)

What is CVE-2022-24772 About?

This vulnerability in RSA PKCS#1 v1.5 signature verification allows for signature forgery due to improper handling of trailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. When a low public exponent is used, attackers can remove padding and add garbage data to forge a valid signature. This is a subtle cryptographic vulnerability, moderately difficult to exploit.

Affected Software

node-forge <1.3.0

Technical Details

The node-forge library, specifically its RSA PKCS#1 v1.5 signature verification code, fails to check for trailing garbage bytes after decoding a DigestInfo ASN.1 structure. The DigestInfo structure is part of the ASN.1-encoded digest that is padded before RSA encryption. When a low public exponent (e.g., 3) is used, this oversight allows an attacker to remove some padding bytes and append arbitrary 'garbage' data. This manipulation can create multiple valid signatures for the same message, or allow for forging signatures for different messages. The attack hinges on the flexibility of the signature verification process to ignore extraneous data, which can be exploited when the mathematical properties of a low public exponent make it easier to find such malleable signatures.

What is the Impact of CVE-2022-24772?

Successful exploitation may allow attackers to forge digital signatures, bypass authentication mechanisms, validate malicious data as legitimate, or compromise the integrity and authenticity of communications and software updates.

What is the Exploitability of CVE-2022-24772?

Exploitation of this cryptographic vulnerability is complex, requiring a deep understanding of RSA PKCS#1 v1.5 padding schemes, ASN.1 structures, and the mathematical properties of low public exponents. There are no direct authentication requirements for the attack itself, as it targets the signature verification process. However, the attacker would need access to a signed message and potentially the public key used for verification. This is typically a remote attack in scenarios involving signed data or remote authentication. Special conditions include the use of a low public exponent in the RSA key pair. Risk factors are high for systems relying on node-forge older than 1.3.0 for signature verification, especially if they use RSA keys with low public exponents for critical security functions like code signing or secure communication.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2022-24772?

A Fix by Resolved Security Exists!

See how easy it is to remediate vulnerabilities in your open-source packages.

About the Fix from Resolved Security

This patch addresses CVE-2022-24772 by ensuring that all bytes in the DER-encoded DigestInfo structure are parsed and validated during RSA signature verification, rather than accepting partially-parsed or malformed input. It also adds a strict check for the correct ASN.1 structure and supported hash algorithm OIDs in DigestInfo. This prevents attackers from exploiting incomplete or manipulated data appended after the signature structure, which could otherwise bypass signature validation and lead to signature forgery.

Available Upgrade Options

node-forge
- <1.3.0 → Upgrade to 1.3.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-24772?

Similar Vulnerabilities: CVE-2017-15361 , CVE-2018-0500 , CVE-2016-7855 , CVE-2021-3968 , CVE-2018-0502

CVE-2022-24772 Signature Forgery vulnerability in node-forge (npm)