CVE-2019-14859
📋 TL;DR
This vulnerability in python-ecdsa allows attackers to forge digital signatures by exploiting improper DER encoding validation. Systems using python-ecdsa for cryptographic operations (like blockchain transactions or authentication) are affected. The flaw enables signature malleability, potentially allowing false transactions or authentication bypass.
💻 Affected Systems
- python-ecdsa library
📦 What is this software?
Openstack by Redhat
Openstack by Redhat
Openstack by Redhat
Openstack by Redhat
Python Ecdsa by Python Ecdsa Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of cryptographic integrity leading to forged blockchain transactions, unauthorized access to systems using ECDSA signatures for authentication, or manipulation of signed data.
Likely Case
Transaction manipulation in blockchain applications, bypassing signature verification in authentication systems, or tampering with signed documents.
If Mitigated
Limited impact with proper signature validation layers and monitoring, though cryptographic assurance is still compromised.
🎯 Exploit Status
Exploitation requires ability to submit signatures to vulnerable systems. Public proof-of-concept exists in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.3
Vendor Advisory: https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
Restart Required: No
Instructions:
1. Update python-ecdsa: pip install ecdsa==0.13.3 or pip install --upgrade ecdsa
2. Verify installation: pip show ecdsa
3. Restart any services using the library
🔧 Temporary Workarounds
Manual signature validation
allImplement additional DER encoding validation before accepting signatures
🧯 If You Can't Patch
- Implement additional signature validation using alternative cryptographic libraries
- Monitor for anomalous signature patterns and implement rate limiting on signature verification endpoints
🔍 How to Verify
Check if Vulnerable:
Check python-ecdsa version: pip show ecdsa | grep VersionCheck Version:
pip show ecdsa | grep VersionVerify Fix Applied:
Verify version is 0.13.3 or higher: pip show ecdsa | grep Version📡 Detection & Monitoring
Log Indicators:
- Failed signature verification attempts, malformed signature submissions, unexpected transaction signatures
Network Indicators:
- Unusual signature patterns in network traffic, repeated signature submissions
SIEM Query:
signature_verification_failed OR malformed_signature OR ecdsa_error🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
- https://github.com/warner/python-ecdsa/issues/114
- https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
- https://pypi.org/project/ecdsa/0.13.3/
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
- https://github.com/warner/python-ecdsa/issues/114
- https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
- https://pypi.org/project/ecdsa/0.13.3/
