5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-11840

GHSA ID

GHSA-r5c5-pr8j-pfp7

EPSS Score

0.8405%

CWE

CWE-330

Published

5/24/2022

Updated

9/29/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-11840

CVE-2019-11840: golang.org/x/crypto/salsa20/salsa uses insufficiently random values

An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Specific Go Packages Affected

golang.org/x/crypto/salsa20/salsa

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-11840

GHSA ID

GHSA-r5c5-pr8j-pfp7

EPSS Score

0.8405%

CWE

CWE-330

Published

5/24/2022

Updated

9/29/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
golang.org/x/crypto	go	< 0.0.0-20190320223903-b7391e95e576	0.0.0-20190320223903-b7391e95e576

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the amd64-specific assembly implementation of Salsa20's XORKeyStream() function. The CVE description explicitly mentions the amd64 implementation's failure when counters exceed 32 bits. The commit b7391e95 shows modifications to the salsa20_amd64.s assembly file to fix counter handling. The GitHub issue #30965 confirms this affects the XORKeyStream implementation in the amd64 assembly code. The vulnerability manifests specifically in the low-level counter management logic that wasn't properly handling 64-bit values, leading to keystream repetition.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in suppl*m*nt*ry *o *rypto*r*p*y li*r*ri*s, *k* *ol*n*-*oo*l**o**-*o-*rypto, ***or* ****-**-**. * *l*w w*s *oun* in t** *m*** impl*m*nt*tion o* *ol*n*.or*/x/*rypto/s*ls*** *n* *ol*n*.or*/x/*rypto/s*ls***/s*ls*. I* mor* t**n **

Reasoning

T** vuln*r**ility st*ms *rom t** *m***-sp**i*i* *ss*m*ly impl*m*nt*tion o* `S*ls***`'s `XORK*yStr**m()` *un*tion. T** *V* **s*ription *xpli*itly m*ntions t** *m*** impl*m*nt*tion's **ilur* w**n *ount*rs *x**** ** *its. T** *ommit `********` s*ows mo*

5.9

Basic Information

Concerned about an active attack path?

CVE-2019-11840: golang.org/x/crypto/salsa20/salsa uses insufficiently random values

Specific Go Packages Affected

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI