CVE-2024-13009
Signature Forgery vulnerability in jetty-server (Maven)
What is CVE-2024-13009 About?
This vulnerability involves a Signature Forgery attack due to an upper bound check issue in the `dsaVerify` function, allowing attackers to construct signatures verifiable by any public key. This bypasses cryptographic authentication mechanisms. Exploitation requires crafting a specific DSA signature, making it a moderately complex attack.
Affected Software
Technical Details
The vulnerability stems from an incorrect upper bound check within the checkValue function, which is called by dsaVerify during DSA signature verification. The checkValue function is intended to ensure that signature components r and s fall within the [1, q-1] interval. However, the check b.cmp(q) for the upper bound is flawed because b.cmp(q) only returns -1, 0, or 1 and can never be greater than q itself. This allows an attacker to use s=q (which is functionally equivalent to s=0 in modular arithmetic but bypasses direct s=0 checks) to bypass the dsaVerify function. By setting (r, s) = (1, q), the crafted signature can be successfully verified against any public key, thereby achieving signature forgery without knowledge of the private key.
What is the Impact of CVE-2024-13009?
Successful exploitation may allow attackers to forge digital signatures, impersonate legitimate entities, tamper with signed data, or bypass authentication mechanisms that rely on DSA signatures, leading to unauthorized access, data integrity compromise, or execution of malicious code.
What is the Exploitability of CVE-2024-13009?
Exploitation is of moderate complexity, requiring specific knowledge of DSA signature generation and the ability to craft a signature with s=q. There are no authentication or privilege requirements to trigger the vulnerability, as it targets the signature verification process itself. The attack is typically remote, as it involves presenting a forged signature to a system that verifies it. The primary constraint is the system's reliance on the flawed dsaVerify implementation. The likelihood of exploitation increases in systems where DSA signatures are a primary method of authentication or data integrity, making it a critical threat if such systems are exposed to untrusted inputs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-13009?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.57.v20241219 → Upgrade to 9.4.57.v20241219
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/48
- https://osv.dev/vulnerability/GHSA-q4rv-gq96-w7c5
- https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5
- https://nvd.nist.gov/vuln/detail/CVE-2024-13009
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/48
- https://github.com/jetty/jetty.project
- https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5
What are Similar Vulnerabilities to CVE-2024-13009?
Similar Vulnerabilities: CVE-2023-3817 , CVE-2023-34538 , CVE-2023-29499 , CVE-2022-44675 , CVE-2022-41123
