Miggo Logo
Miggo Vulnerability Database
CVE-2021-43569

CVE-2021-43569: Improper Verification of Cryptographic Signature in starkbank-ecdsa

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-43569
GHSA ID
GHSA-j3jw-j2j8-2wv9
EPSS Score
0.44793%
CWE
CWE-347
Published
11/10/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
starkbank-ecdsanuget< 1.3.21.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly states the verify() function lacked non-zero signature checks. The patch v1.3.2 release notes mention fixing 'Signature r and s range check', indicating these components were not properly validated in the verification process. In ECDSA, both r and s must be non-zero integers in the correct range to prevent signature forgery. The most logical location for this missing validation would be in the core Verify method responsible for signature validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** v*ri*y *un*tion in t** St*rk **nk .N*T ***S* li*r*ry (***s*-*otn*t) *.*.* **ils to ****k t**t t** si*n*tur* is non-z*ro, w*i** *llows *tt**k*rs to *or** si*n*tur*s on *r*itr*ry m*ss***s.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s t** `v*ri*y()` *un*tion l**k** non-z*ro si*n*tur* ****ks. T** p*t** v*.*.* r*l**s* not*s m*ntion *ixin* 'Si*n*tur* r *n* s r*n** ****k', in*i**tin* t**s* *ompon*nts w*r* not prop*rly v*li**t** in t** `v