Insecure Key Pair Generation in Ed25519KeyIdentity Could Lead to Loss of Funds or Access
CVE-2024-1631

9.1CRITICAL

Key Information:

Vendor: Internet Computer
Status: Agent-js
Vendor: CVE Published:; 21 February 2024

Summary

The DFINITY Identity Library has a vulnerability in its key pair generation function, specifically within Ed25519KeyIdentity.generate. Though it is designed to generate a secure secret key from an optional 32-byte seed, a recent update has compromised this functionality. Instead of using secure random values, the library may utilize a non-secure seed for generating keys. This flaw jeopardizes the integrity of the private keys, leading to possible unauthorized access to funds or canisters where the compromised key is a controlling principal. Users relying on this library are at significant risk if the seed value is not securely managed.

Affected Version(s)

agent-js v0.20.0-beta.0

References

https://github.com/dfinity/agent-js/pull/851

https://www.npmjs.com/package/@dfinity/identity/v/1.0.1

https://github.com/dfinity/agent-js

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Feb 19, 2024