Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKws9z1Rb7ELFB1qL_CJZXoP3R4UJEi4k8JQ+VPTz=r=xnAwZg@mail.gmail.com>
Date: Wed, 24 Apr 2024 17:17:47 -0400
From: Paragon Initiative Enterprises Security Team <security@...agonie.com>
To: oss-security@...ts.openwall.com
Subject: Security Issues and Abandonment of PHP ECC library (mdanter/ecc, phpecc/phpecc)

Good afternoon, OSS-Security Mailing List readers.

We are troubled to report that the PHP elliptic curve cryptography library
known by the packagist name "mdanter/ecc" and the GitHub URL
https://github.com/phpecc/phpecc has not responded to our attempts to fix
security issues from the year 2021.

https://github.com/phpecc/phpecc/pull/280
https://github.com/phpecc/phpecc/pull/281

These pull requests fix a particular problem with generating an ECDSA
signature: Calculating the modular inverse of your one-time secret, k, in
constant-time.

*Put A Fork In It*

After reviewing the situation and failing to get in contact with the
maintainers (their websites are offline and emails are bouncing), we opted
to fork this library. https://github.com/phpecc/phpecc/issues/289

Our fork can be found at this URL: https://github.com/paragonie/phpecc

Additionally, several more issues have been discovered as we review this
code:

1. *Signature malleability* (i.e., (R,S) and (R,n-S) are both accepted).
This is particularly troubling since many of the projects that depend on
mdanter/ecc <https://archive.is/Q3EkJ> (archive.today link) are
cryptocurrency-adjacent. We fixed this in v2.0.0 of our fork
<https://github.com/paragonie/phpecc/releases/tag/v2.0.0>.
2. *ECDH Timing Leaks*. The way ECDH works is that it grabs the math
adapter from the public point and uses that to compute a shared secret with
the secret scalar. Despite the pains taken to implement a Montgomery Ladder
for scalar*point multiplication, the underlying algorithms' use of GMP were
timing-leaky. We fixed this in v2.0.0 of our fork
<https://github.com/paragonie/phpecc/releases/tag/v2.0.0>.
3. *Branch-based Timing Leaks in Point Addition*. Point addition contains
slow code that runs if a condition is true, and fast code that runs if the
condition is false. This exposes a branch-based timing leak that doesn't
require advanced techniques (e.g., manipulating the CPU's branch predictor)
to trigger. We fixed this in v2.0.1 of our fork
<https://github.com/paragonie/phpecc/releases/tag/v2.0.1>.

The incumbent library has nearly 5 million installs according to Packagist
statistics <https://packagist.org/packages/mdanter/ecc/stats>. This
includes historical installs that were replaced with newer versions, so the
actual installed base is smaller, but probably only by 1 or 2 orders of
magnitude.

*Actions Taken to Proactively Mitigate Risk*

After we announced our fork, and the motivation for it, the Packagist
maintainers have marked the mdanter/ecc package as abandoned
<https://github.com/phpecc/phpecc/issues/289#issuecomment-2075703542> and
recommended our fork.

Projects using the Roave/SecurityAdvisories
<https://github.com/Roave/SecurityAdvisories> package to block vulnerable
dependencies from being installed will begin receiving a version conflict
with any version of mdanter/ecc as of 2 hours ago (from when we write this
email).

We opened GitHub issues with several dozen dependent projects to ensure
community awareness of this issue. For example:
https://github.com/Bit-Wasp/bitcoin-php/issues/919.

Unfortunately, many of the dependents listed on Packagist are forks of
other dependents, and some had no means to contact them. To that end, we're
relying on public communication channels, such as this mailing list and
/r/PHP
<https://old.reddit.com/r/PHP/comments/1cbq3mj/pie_has_forked_phpecc_released_a_new_version_with>,
to get the word out.

*Miscellaneous*

We have requested a CVE identifier from MITRE for the ECDSA weaknesses we
reported and provided a patch for in 2021, but a CVE ID has not been
assigned as of this writing.

Our work is far from over. We expect to find and fix more bugs in the
coming weeks. However, migrating off the abandoned package is a necessary
first step to stop the bleeding.

If you have a package that currently depends on mdanter/ecc, we provided a
simple migration guide in our v2.0.0 release notes:
https://github.com/paragonie/phpecc/blob/master/doc/release-notes-2.0.0.md#migration-guide

We would also like to thank the following people for helping move this
issue towards resolution in the absence of the original package's
maintainers: Nils Alderman, Frederik Bosch, and Marco Pivetta.

Happy hacking,

Security Team
Paragon Initiative Enterprises <https://paragonie.com/security>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.