CVE-2024-42460
📋 TL;DR
This vulnerability in the Elliptic package for Node.js allows attackers to create multiple valid signatures for the same message due to missing validation of leading zeros in ECDSA signature components. This affects any application using Elliptic 6.5.6 for cryptographic operations, potentially compromising signature verification systems.
💻 Affected Systems
- elliptic npm package
📦 What is this software?
Elliptic by Indutny
⚠️ Risk & Real-World Impact
Worst Case
Signature forgery leading to authentication bypass, transaction manipulation in blockchain applications, or compromise of systems relying on ECDSA signatures for security decisions.
Likely Case
Signature malleability attacks where attackers can create alternative valid signatures, potentially bypassing signature uniqueness requirements in applications like cryptocurrency transactions or document signing systems.
If Mitigated
Limited impact if applications implement additional signature validation or use signature schemes that are resilient to malleability.
🎯 Exploit Status
Exploitation requires understanding of ECDSA signature format and the ability to modify signature data before verification. Attackers need to know how the target application processes signatures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.7 and later
Vendor Advisory: https://github.com/indutny/elliptic/pull/317
Restart Required: Yes
Instructions:
1. Update elliptic package: npm update elliptic
2. Verify version is 6.5.7 or higher: npm list elliptic
3. Restart Node.js applications using the elliptic package
4. Test signature verification functionality
🔧 Temporary Workarounds
Implement custom signature validation
allAdd validation to check that r and s components don't have leading zeros before using elliptic's verify function
// JavaScript code to validate signatures before verification
function validateSignature(signature) {
// Check that r and s don't start with 0x00
// Implement based on your signature format
}
🧯 If You Can't Patch
- Implement additional signature validation in application code to reject signatures with leading zeros in r and s components
- Monitor for unusual signature patterns or multiple valid signatures for the same message
🔍 How to Verify
Check if Vulnerable:
Check package.json or run: npm list elliptic | grep ellipticCheck Version:
npm list elliptic | grep ellipticVerify Fix Applied:
Verify elliptic version is 6.5.7 or higher: npm list elliptic📡 Detection & Monitoring
Log Indicators:
- Multiple successful signature verifications for same message with different signatures
- Signature validation errors related to format issues
Network Indicators:
- Unusual patterns in signature-based API calls
- Repeated signature submissions with minor variations
SIEM Query:
Search for application logs containing signature verification failures or multiple successful verifications of the same data