Miggo Logo

CVE-2021-43568: ecdsa-elixir fails to check signatures, vulnerable to message forging

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.42734%
Published
5/24/2022
Updated
9/27/2023
KEV Status
No
Technology
TechnologyErlang

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ecdsa-elixirerlang= 1.0.01.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the signature verification flow where r/s range checks are mandated by X9.62. The commit diff shows the vulnerable version lacked the 'cond do' block checking signature.r/s ranges, while the patched version adds these checks. The Python example demonstrates how missing range checks lead to signature forgery, and the Elixir implementation followed the same flawed pattern prior to the patch. The CWE-347 mapping confirms this is a cryptographic verification flaw.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry St*rk **nk is * *in*n*i*l t***nolo*y *omp*ny t**t provi**s s*rvi**s to simpli*y *n* *utom*t* *i*it*l **nkin*, *y provi*in* *PIs to p*r*orm op*r*tions su** *s p*ym*nts *n* tr*ns**rs. In ***ition, St*rk **nk m*int*ins * num**r o* *rypto*r*p

Reasoning

T** vuln*r**ility m*ni**sts in t** si*n*tur* v*ri*i**tion *low w**r* r/s r*n** ****ks *r* m*n**t** *y X*.**. T** *ommit *i** s*ows t** vuln*r**l* v*rsion l**k** t** '*on* *o' *lo*k ****kin* si*n*tur*.r/s r*n**s, w*il* t** p*t**** v*rsion ***s t**s* *