chore(deps): update dependency crypto-js to v4.2.0 [security]#900
chore(deps): update dependency crypto-js to v4.2.0 [security]#900renovate[bot] wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
19f8fa2 to
7fa61e3
Compare
7fa61e3 to
ca45bff
Compare
|
ca45bff to
4b67b59
Compare
|
4b67b59 to
85970b1
Compare
|
85970b1 to
8a6af56
Compare
8a6af56 to
db6b19c
Compare
db6b19c to
49a4c95
Compare
49a4c95 to
e59abf3
Compare
e59abf3 to
7b8f6b4
Compare
37c9c95 to
dfb14a2
Compare
dfb14a2 to
1ce9cc9
Compare
1ce9cc9 to
c78fb6a
Compare
c78fb6a to
3c40d48
Compare
3c40d48 to
cc545a6
Compare
cc545a6 to
02fd274
Compare
02fd274 to
44133cd
Compare
44133cd to
82daa9f
Compare
82daa9f to
aaf9aa7
Compare
75b26d4 to
25da7c0
Compare
25da7c0 to
3a66027
Compare
5e7fad1 to
c940fa4
Compare
c940fa4 to
5181bc0
Compare
5181bc0 to
5a138e8
Compare
5a138e8 to
9d65793
Compare
|
1 similar comment
|
|
|




This PR contains the following updates:
4.1.1→4.2.0crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
CVE-2023-46233 / GHSA-xwcq-pm8m-c4vf
More information
Details
Impact
Summary
Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both (1) defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005 and (2) defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks.
Potential Impact:
Probability / risk analysis / attack enumeration:
Update: PBKDF2 requires a pseudo-random function that takes two inputs, so HMAC-SHA1 is used rather than plain SHA1. HMAC is not affected by length extension attacks. However, by defaulting to a single PBKDF2 iteration, the hashes do not benefit from the extra computational complexity that PBKDF2 is supposed to provide. The resulting hashes therefore have little protection against an offline brute-force attack.
crypto-js has 10,642 public users as displayed on NPM, today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.
A very rough GitHub search shows 432 files cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.
Affected versions
All versions are impacted. This code has been the same since crypto-js was first created.
Further Cryptanalysis
The issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.
Consider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.
To encrypt the user password via symmetric encryption we might do
encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper)). By this means, we would, in theory, create anencryption_keythat can be determined from the public username, but which requires the secretsalt_or_pepperto generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.Because of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker does not need to know
salt_or_pepperto decrypt their account data, only their public username.Description
PBKDF2 is a key-derivation is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).
Unlike the modern webcrypto standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 2000, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, OWASP recommends 1,300,000:
https://github.com/brix/crypto-js/blob/4dcaa7afd08f48cd285463b8f9499cdb242605fa/src/pbkdf2.js#L22-L26
Patches
No available patch. The package is not maintained.
Workarounds
Consult the OWASP PBKDF2 Cheatsheet. Configure to use SHA256 with at least 250,000 iterations.
Coordinated disclosure
This issue was simultaneously submitted to crypto-js and crypto-es on the 23rd of October 2023.
Caveats
This issue was found in a security review that was not scoped to crypto-js. This report is not an indication that crypto-js has undergone a formal security assessment by the author.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
brix/crypto-js (crypto-js)
v4.2.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.