CVE-2023-30590
📋 TL;DR
This vulnerability in Node.js's crypto module causes the generateKeys() function to not properly generate public keys after setPrivateKey() is called, contrary to documentation. This can lead to incomplete or insecure Diffie-Hellman key exchanges in applications relying on this API for cryptographic operations. Any Node.js application using crypto.createDiffieHellman() with manual private key setting is affected.
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of cryptographic security in applications using Diffie-Hellman for key exchange, potentially allowing man-in-the-middle attacks, data interception, or authentication bypass in systems relying on this for secure communications.
Likely Case
Incomplete or incorrect key generation leading to failed cryptographic operations, connection failures, or degraded security in applications using the affected API functions.
If Mitigated
Applications that don't use crypto.createDiffieHellman() with setPrivateKey() followed by generateKeys() are unaffected. Proper input validation and error handling can reduce impact.
🎯 Exploit Status
Exploitation requires specific API usage patterns and understanding of the cryptographic context. No public exploits have been documented, but the vulnerability is well-understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js 18.16.1, 20.3.1, 16.20.1 or later
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Restart Required: Yes
Instructions:
1. Identify Node.js version with 'node --version'. 2. Update to patched version using package manager (npm update -g node) or download from nodejs.org. 3. Restart all Node.js applications and services. 4. Test cryptographic functionality.
🔧 Temporary Workarounds
Avoid setPrivateKey() with generateKeys() pattern
allModify code to avoid calling generateKeys() after setPrivateKey(). Use alternative key generation patterns or compute public key manually when needed.
🧯 If You Can't Patch
- Review and modify application code to avoid the vulnerable API usage pattern (setPrivateKey() followed by generateKeys())
- Implement additional validation and error handling for cryptographic operations to detect incomplete key generation
🔍 How to Verify
Check if Vulnerable:
Check Node.js version with 'node --version'. If version is below 18.16.1, 20.3.1, or 16.20.1, and application uses crypto.createDiffieHellman() with setPrivateKey() and generateKeys(), it's vulnerable.Check Version:
node --versionVerify Fix Applied:
After updating, verify version with 'node --version' shows patched version. Test the specific API pattern in a controlled environment to confirm proper key generation.📡 Detection & Monitoring
Log Indicators:
- Errors in cryptographic operations
- Failed key exchanges
- Unexpected behavior in crypto module functions
Network Indicators:
- Failed TLS/SSL handshakes if using affected crypto functions
- Incomplete cryptographic negotiations
SIEM Query:
Search for application logs containing crypto module errors, failed Diffie-Hellman operations, or version information showing vulnerable Node.js versions.🔗 References
- https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
- https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
- https://security.netapp.com/advisory/ntap-20241101-0011/
