-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cggmp21 | rust | <= 0.6.3 | |
| cggmp24 | rust | < 0.7.0-alpha.2 | 0.7.0-alpha.2 |
RustRustMiggo AIRoot Cause AnalysisThe analysis of the provided patch and vulnerability description reveals two distinct attack vectors related to the use of presignatures in the cggmp21 and cggmp24 libraries. The root cause lies in the overly flexible API for handling presignatures and data to be signed.
HD Wallet Derivation Attack: The function cggmp21::signing::Presignature::set_derivation_path allowed the derivation path of a presignature to be changed after its creation. This malleability introduced a vulnerability that could be exploited to weaken the security of HD wallets. The mitigation was the complete removal of this function from the API.
Signature Forgery via Raw Hash Signing: This attack was possible through the combination of two functions. First, cggmp21::signing::DataToSign::from_scalar allowed an attacker to construct a DataToSign object from a raw scalar (hash), bypassing the need to provide the original message. Second, cggmp21::signing::Presignature::issue_partial_signature would accept this object and perform the signing operation. An attacker could craft a specific scalar that, when signed, would allow them to forge a valid signature for a different message of their choice. The patch addresses this by removing from_scalar from DataToSign and introducing a new PrehashedDataToSign type, which is not accepted by issue_partial_signature, thus breaking the attack chain.
cggmp21::signing::Presignature::set_derivation_pathcggmp21/src/signing.rs
cggmp21::signing::DataToSign::from_scalarcggmp21/src/signing.rs
cggmp21::signing::Presignature::issue_partial_signaturecggmp21/src/signing.rs
Ongoing coverage of React2Shell