Noise vulnerable to denial of service

Overview

Source
ID
GHSA-6cr6-fmvc-vw2p
Aliases
CVE-2021-4239
GHSA-g9mp-8g3h-3c5c
GO-2022-0425
Affected package

Description

Noise is a Go implementation of the Noise Protocol Framework. The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.

Summary

359
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
72
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
0.03%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).