reuters russian hackers nsa advisory 1590734358898

Java suffers from crypto bug, which allows attackers to bypass digital signatures, Oracle releases solutions

Versions Java 15 and higher include a flaw in the implementation of its Elliptic Curve Digital Signature Algorithm (ECDSA), which cybercriminals use to duplicate certain types of secure Sockets Layer (SSL) certificates for duplication of file by signing JSON web tokens (JWTS). , And two-factor authentication messages as well. This problem was first discovered last year and reported to Oracle‌, which finally fixed it last week. However, as companies take the time to update their systems with the latest releases, any device that uses the affected Java versions to utilize digitally signed data could be at risk.

Oracle solved the problem, also known as blunder in the community Part of more than 500 solutions. There is vulnerability Tracked as CVE-2022-21449.

Neil Madden, a researcher at the security consultancy firm ForgeRock, discovered a security loophole and reported privately to Oracle in November. Although the software company gave the issue a rating of 7.5 out of 10, it was considered a flaw by experts, including ForgeRock. Intensity rating 10 – It can have a big impact “due to the wide range of effects on different activity”.

“If you are running one of the malicious versions, the attacker can easily decrypt certain types of SSL certificates and handshakes (allowing interceptions and modifications of communications), signature JWTs, SAML statements or OIDC ID tokens, and even forge the webAuthn authentication messages into a copy. , “Madden Wrote In the blog post‌.

Cybercriminals and hackers can use the error to digitally sign a malicious app or file that has different implications for end users. This allows attackers to eventually gain backdoor access to systems or to hack into a network using authentic and trusted files and data.

Java uses ECDSA based on the principles of elliptic curve cryptography – one of the most widely known and widely used methods for initiating key agreement and digital signatures. The researcher found that the bug was introduced by rewriting the elliptic curve cryptography from native C ++ to Java, which happened with the release of Java15.

Recipients are required to prove that digital signatures based on elliptical curve cryptography generally have access to the private key associated with the public key. It helps verify authentication and allows users to gain access to data. It restricts users from displaying a digital signature for handshakes that do not have access to the relevant private key.

However, using the error, the attacker may use a blank signature that the system considers valid and validates against any public keys.

Madden calls these signatures “psychic paper” – a platform device found in the long-running sci-fi Doctor Who. It is essentially a completely blank piece of paper, but the protagonist is designed to act as a security pass, warrant or proof based on what others want to see.

“The ECDSA signature has two values ​​called r and s,” the researcher explained the error. “To verify the ECDSA signature, the verifier r, s checks the signature’s public key and the hash of the message. The signature is valid if both sides of the equation are equal, otherwise it is rejected.”

The calculation in the process includes the condition that R and S must not be zero. However, this is not the case with Java’s authentication.

“Java’s ECDSA signature verification does not check whether R or S are zero, so you can both generate a signature value of 0 (correctly encoded) and Java will accept it as a valid signature for any message and anything. Public key,” Madden said .

Madden, echoing the intensity highlighted by security expert Thomas Ptasek Said Issue “Crypto Bug of the Year.”

Sophos is also a data security company in a blog post Pointed out The bug does not affect Java servers that interact with client software.

“Any device that consumes digitally signed data on your network could be at risk,” it said.

The affected Java versions – Java 15 to 18 – thankfully were not as widely used as its predecessors. According to data from a survey conducted between February and March 2021, cybersecurity firm Snyk Said Java 11 accounts for more than 61 percent of the total expansion, while Java 15 has a 12 percent share.

However, IT managers and companies are advised to update their Java version quickly to avoid any future attacks.

Leave a Comment

Your email address will not be published.