flynn/noise has improper nonce handling yielding potential state DoS

Overview

Source
ID
GHSA-g9mp-8g3h-3c5c
Aliases
CVE-2021-4239
GHSA-6cr6-fmvc-vw2p
GO-2022-0425
Affected package

Description

The Go package `github.com/flynn/noise`, a [Noise Protocol](https://noiseprotocol.org/) implementation, has two bugs in nonce handling in versions prior to v1.0.0.

### Issue 1: Potential nonce overflow

If 2<sup>64</sup> (~18.4 quintillion) or more messages are encrypted with `Encrypt` after handshaking, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce, resulting in a potentially catastrophic weakening of the security properties of the symmetric cipher.

This has been resolved in the patched version by returning `ErrMaxNonce` from the `CipherState` `Encrypt` and `Decrypt` methods before the reserved maximum nonce is reached. If this error is encountered, the program should handshake again to start with a fresh `CipherState`.

### Issue 2: Potential denial of service via invalid ciphertext

If an attacker sends an invalid ciphertext into one peer's `Decrypt`, the nonce is incremented unconditionally. This causes a desync of the `CipherState` due to a nonce mismatch between the peers, resulting in a failure to decrypt all subsequent messages. A new handshake will be required to establish a new `CipherState`.

This has been resolved in the patched version by returning authentication errors from `Decrypt` before incrementing the nonce.

### Patches

Fixed in https://github.com/flynn/noise/pull/44, tagged as v1.0.0.

### Acknowledgements

These issues were discovered during [an audit](https://www.bamsoftware.com/software/dnstt/cure53-turbotunnel-2021.pdf) of a user of this package ([dnstt](https://www.bamsoftware.com/software/dnstt/)). Thanks to UC Berkley for commissioning the audit, and to David Fifield and Nathan Brown for their collaboration on the fixes. The fixed issues are noted in the audit as:

* UCB-02-003 Potential nonce overflow in Noise protocol * UCB-02-006 DoS due to unconditional nonce increment

Summary

359
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
72
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
0.03%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).