data/reports/GO-2023-1765.yaml - vulndb - Git at Google

 id: GO-2023-1765
 modules:
     - module: github.com/cloudflare/circl
       versions:
         - fixed: 1.3.3
       vulnerable_at: 1.3.2
       packages:
         - package: github.com/cloudflare/circl/abe/cpabe/tkn20/internal/tkn
           symbols:
             - EncryptCCA
         - package: github.com/cloudflare/circl/blindsign/blindrsa
           symbols:
             - RSAVerifier.Blind
         - package: github.com/cloudflare/circl/kem/frodo/frodo640shake
           symbols:
             - PublicKey.EncapsulateTo
           derived_symbols:
             - scheme.Encapsulate
             - scheme.EncapsulateDeterministically
         - package: github.com/cloudflare/circl/kem/kyber/kyber1024
           symbols:
             - PublicKey.EncapsulateTo
           derived_symbols:
             - scheme.Encapsulate
             - scheme.EncapsulateDeterministically
         - package: github.com/cloudflare/circl/kem/kyber/kyber512
           symbols:
             - PublicKey.EncapsulateTo
           derived_symbols:
             - scheme.Encapsulate
             - scheme.EncapsulateDeterministically
         - package: github.com/cloudflare/circl/kem/kyber/kyber768
           symbols:
             - PublicKey.EncapsulateTo
           derived_symbols:
             - scheme.Encapsulate
             - scheme.EncapsulateDeterministically
         - package: github.com/cloudflare/circl/kem/sike/sikep434
           symbols:
             - scheme.Encapsulate
         - package: github.com/cloudflare/circl/kem/sike/sikep503
           symbols:
             - scheme.Encapsulate
         - package: github.com/cloudflare/circl/kem/sike/sikep751
           symbols:
             - scheme.Encapsulate
 summary: Leaked shared secret and weak blinding in github.com/cloudflare/circl
 description: |-
     When sampling randomness for a shared secret, the implementation of Kyber and
     FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare
     deployment cases (error thrown by the Read() function), this could lead to a
     predictable shared secret.

     The tkn20 and blindrsa components did not check whether enough randomness was
     returned from the user provided randomness source. Typically the user provides
     crypto/rand.Reader, which in the vast majority of cases will always return the
     right number random bytes. In the cases where it does not, or the user provides
     a source that does not, the blinding for blindrsa is weak and integrity of the
     plaintext is not ensured in tkn20.
 cves:
     - CVE-2023-1732
 ghsas:
     - GHSA-2q89-485c-9j2x
 references:
     - advisory: https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x
     - fix: https://github.com/cloudflare/circl/commit/ff8d91225f8954b4970b6d6382d2e4c78f4a4cf8
	id: GO-2023-1765
	modules:
	- module: github.com/cloudflare/circl
	versions:
	- fixed: 1.3.3
	vulnerable_at: 1.3.2
	packages:
	- package: github.com/cloudflare/circl/abe/cpabe/tkn20/internal/tkn
	symbols:
	- EncryptCCA
	- package: github.com/cloudflare/circl/blindsign/blindrsa
	symbols:
	- RSAVerifier.Blind
	- package: github.com/cloudflare/circl/kem/frodo/frodo640shake
	symbols:
	- PublicKey.EncapsulateTo
	derived_symbols:
	- scheme.Encapsulate
	- scheme.EncapsulateDeterministically
	- package: github.com/cloudflare/circl/kem/kyber/kyber1024
	symbols:
	- PublicKey.EncapsulateTo
	derived_symbols:
	- scheme.Encapsulate
	- scheme.EncapsulateDeterministically
	- package: github.com/cloudflare/circl/kem/kyber/kyber512
	symbols:
	- PublicKey.EncapsulateTo
	derived_symbols:
	- scheme.Encapsulate
	- scheme.EncapsulateDeterministically
	- package: github.com/cloudflare/circl/kem/kyber/kyber768
	symbols:
	- PublicKey.EncapsulateTo
	derived_symbols:
	- scheme.Encapsulate
	- scheme.EncapsulateDeterministically
	- package: github.com/cloudflare/circl/kem/sike/sikep434
	symbols:
	- scheme.Encapsulate
	- package: github.com/cloudflare/circl/kem/sike/sikep503
	symbols:
	- scheme.Encapsulate
	- package: github.com/cloudflare/circl/kem/sike/sikep751
	symbols:
	- scheme.Encapsulate
	summary: Leaked shared secret and weak blinding in github.com/cloudflare/circl
	description: \|-
	When sampling randomness for a shared secret, the implementation of Kyber and
	FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare
	deployment cases (error thrown by the Read() function), this could lead to a
	predictable shared secret.

	The tkn20 and blindrsa components did not check whether enough randomness was
	returned from the user provided randomness source. Typically the user provides
	crypto/rand.Reader, which in the vast majority of cases will always return the
	right number random bytes. In the cases where it does not, or the user provides
	a source that does not, the blinding for blindrsa is weak and integrity of the
	plaintext is not ensured in tkn20.
	cves:
	- CVE-2023-1732
	ghsas:
	- GHSA-2q89-485c-9j2x
	references:
	- advisory: https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x
	- fix: https://github.com/cloudflare/circl/commit/ff8d91225f8954b4970b6d6382d2e4c78f4a4cf8