Impact
Vulnerable jsrsasign will accept RSA signature with improper PKCS#1.5 padding.
Decoded RSA signature value consists following form:
01(ff...(8 or more ffs)...ff)00[ASN.1 OF DigestInfo]
Its byte length must be the same as RSA key length, however such checking was not sufficient.
To make crafted message for practical attack is very hard.
Patches
Users validating RSA signature should upgrade to 10.2.0 or later.
Workarounds
There is no workaround. Not to use RSA signature validation in jsrsasign.
ACKNOWLEDGEMENT
Thanks to Daniel Yahyazadeh @yahyazadeh for reporting and analyzing this vulnerability.
References
Impact
Vulnerable jsrsasign will accept RSA signature with improper PKCS#1.5 padding.
Decoded RSA signature value consists following form:
01(ff...(8 or more ffs)...ff)00[ASN.1 OF DigestInfo]
Its byte length must be the same as RSA key length, however such checking was not sufficient.
To make crafted message for practical attack is very hard.
Patches
Users validating RSA signature should upgrade to 10.2.0 or later.
Workarounds
There is no workaround. Not to use RSA signature validation in jsrsasign.
ACKNOWLEDGEMENT
Thanks to Daniel Yahyazadeh @yahyazadeh for reporting and analyzing this vulnerability.
References