CVE-2020-25021
📋 TL;DR
This vulnerability in Noise-Java allows out-of-bounds memory access in the ChaChaPolyCipherState.encryptWithAd() function due to insufficient boundary checks. Attackers can potentially read or write beyond allocated memory boundaries, leading to information disclosure or remote code execution. Any Java application using affected versions of the Noise-Java library for cryptographic operations is vulnerable.
💻 Affected Systems
- Noise-Java library
📦 What is this software?
Noise Java by Noise Java Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or service disruption.
Likely Case
Memory corruption leading to application crashes, information disclosure, or denial of service.
If Mitigated
Limited impact if proper memory protections (ASLR, DEP) are enabled and the application runs with minimal privileges.
🎯 Exploit Status
Proof-of-concept details are publicly available in security advisories. Exploitation requires triggering the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 18e86b6f8bea7326934109aa9ffa705ebf4bde90 and later
Vendor Advisory: https://github.com/rweather/noise-java/commit/18e86b6f8bea7326934109aa9ffa705ebf4bde90
Restart Required: Yes
Instructions:
1. Update Noise-Java library to version after commit 18e86b6f8bea7326934109aa9ffa705ebf4bde90. 2. Rebuild and redeploy affected applications. 3. Restart services using the library.
🔧 Temporary Workarounds
Disable vulnerable function
allAvoid using ChaChaPolyCipherState.encryptWithAd() method if possible
N/A - configuration change
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Apply strict input validation and sanitization to prevent triggering the vulnerable code path
🔍 How to Verify
Check if Vulnerable:
Check if your application uses Noise-Java version dated 2020-08-27 or earlier. Review dependency manifests (pom.xml, build.gradle) for noise-java library references.Check Version:
Check build dependencies or run: java -cp noise-java.jar com.example.VersionCheck (if available)Verify Fix Applied:
Verify the library version includes commit 18e86b6f8bea7326934109aa9ffa705ebf4bde90 or later. Test that ChaChaPolyCipherState.encryptWithAd() functions correctly with boundary tests.📡 Detection & Monitoring
Log Indicators:
- Java stack traces containing 'ArrayIndexOutOfBoundsException' or 'OutOfMemoryError' related to noise-java
- Application crashes during cryptographic operations
Network Indicators:
- Unusual network traffic patterns from applications using Noise-Java
- Unexpected data exfiltration from affected systems
SIEM Query:
source="application.logs" AND ("ArrayIndexOutOfBoundsException" OR "OutOfMemoryError") AND "noise-java"🔗 References
- http://packetstormsecurity.com/files/159057/Noise-Java-ChaChaPolyCipherState.encryptWithAd-Insufficient-Boundary-Checks.html
- http://seclists.org/fulldisclosure/2020/Sep/14
- https://github.com/rweather/noise-java/commit/18e86b6f8bea7326934109aa9ffa705ebf4bde90
- https://github.com/rweather/noise-java/pull/12
- http://packetstormsecurity.com/files/159057/Noise-Java-ChaChaPolyCipherState.encryptWithAd-Insufficient-Boundary-Checks.html
- http://seclists.org/fulldisclosure/2020/Sep/14
- https://github.com/rweather/noise-java/commit/18e86b6f8bea7326934109aa9ffa705ebf4bde90
- https://github.com/rweather/noise-java/pull/12
