Weak encryption and denial of service in github.com/flynn/noise
Overview
Source
ID
GO-2022-0425
Aliases
CVE-2021-4239
GHSA-6cr6-fmvc-vw2p
GHSA-g9mp-8g3h-3c5c
Affected package
Description
The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack.
After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce.
In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.
Impact
Summary
359
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
72
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
0.03%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 1.0.0