GHSA-3f99-hvg4-qjwj

Description and Impact

A bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. We recommend replacing any RSA keys that were generated using keypair version 1.0.3 or earlier.

Fix

• The bug in the pseudo-random number generator is fixed in commit 9596418.
• If the crypto module is available, it is used instead of the pseudo-random number generator. Also fixed in 9596418

Additional Details

The specific line with the flaw is:

b.putByte(String.fromCharCode(next & 0xFF))

The definition of putByte is

util.ByteBuffer.prototype.putByte = function(b) {
  this.data += String.fromCharCode(b);
};

Simplified, this is String.fromCharCode(String.fromCharCode(next & 0xFF)). This results in most of the buffer containing zeros. An example generated buffer:

(Note: truncated for brevity)

\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x04\x00\x00\x00....\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

Since it is masking with 0xFF, approximately 97% of the bytes are converted to zeros. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion.

Credit

This issue was reported to GitHub Security Lab by Ross Wheeler of Axosoft. It was discovered by Axosoft engineer Dan Suceava, who noticed that keypair was regularly generating duplicate RSA keys. GitHub security engineer @vcsjones (Kevin Jones) independently investigated the problem and identified the cause and source code location of the bug.