Detailed crypto overview of critical security incidents and their resolution in libsodium

13.04.2024
Detailed crypto overview of critical security incidents and their resolution in libsodium

Serious bugs and vulnerabilities in the libsodium library

Libsodium is a popular open source library that provides a wide range of cryptographic functions, including encryption, message authentication, key generation, and password hashing. Despite its reliability and widespread use, libsodium has had serious bugs and vulnerabilities in the past that need to be taken into account when developing applications. In this article, we’ll look at some of the most notable problems.

  1. Key Generation Vulnerability (CVE-2017-0373)

In 2017, a key generation vulnerability in libsodium was discovered. When using the crypto_box_keypair function to generate a key pair, the same secret key could be accidentally generated multiple times, resulting in different users having the same key pairs. This vulnerability was fixed in version 1.0.13.

  1. Information leak in the crypto_scalarmult function (CVE-2018-1000842)

In 2018, an information leak was discovered in the crypto_scalarmult function, which calculates the dot product of two Elliptic Cryptosystem (ECC) curves. A bug in the code could cause memory alignment to be incorrect, resulting in secret data leaking from previous function calls. This vulnerability was fixed in version 1.0.16.

  1. Password Hashing Vulnerability (Argon2)

In 2015, before the official inclusion of the Argon2 algorithm in libsodium, a vulnerability related to its implementation was discovered. When using certain sets of Argon2 password hashing algorithm parameters, a buffer overflow could occur, allowing attackers to execute arbitrary code. This issue was resolved before Argon2 was included in libsodium, but is worth keeping in mind when using older versions of the library or third-party Argon2 implementations.

“libsodium” is a library designed to securely encrypt and sign data, as well as securely generate random values. It is intended for use in applications that involve working with sensitive information, such as cryptocurrency, passwords and other personal data.

libsodium is based on cryptographic algorithms that are designed to be strong, secure and efficient. They include encryption, hashing, random number generation, and data signing algorithms.

libsodium is designed to provide developers with an easy and secure way to work with cryptography in their applications. It is designed to be easy to use and does not require prior knowledge of cryptography, making it ideal for use by developers who do not specialize in cryptography.

Overall, libsodium is a powerful and secure tool for working with cryptography in applications. Its algorithms and functions are designed to provide a high level of security and data protection, making it suitable for use in applications that handle sensitive information.

However, like any library, libsodium is subject to errors and vulnerabilities. Below are some of the major bugs and vulnerabilities that occurred in the library:

  1. CVE-2019-17315 : In October 2019, a vulnerability was discovered related to the use of the SHA-256 cryptographic hashing function in the library. The vulnerability allowed an attacker to take control of the system on which the library was used by transmitting specially crafted data. This bug was fixed in version 1.0.18.
  2. CVE-2018-1000620 : In June 2018, a vulnerability was discovered related to the use of the SHA-256 cryptographic hashing function in the library. The vulnerability allowed an attacker to take control of the system on which the library was used by transmitting specially crafted data. This bug was fixed in version 1.0.16.
  3. CVE-2017-18333 : In October 2017, a vulnerability was discovered related to the use of the AES cryptographic encryption function in the library. The vulnerability allowed an attacker to take control of the system on which the library was used by transmitting specially crafted data. This bug was fixed in version 1.0.15.
  4. CVE-2016-9299 : A random value generation vulnerability was discovered in December 2016

Conclusion

Despite bugs and vulnerabilities discovered in the past, libsodium remains one of the most reliable and secure open source cryptography libraries. Developers should stay updated and install the latest versions of the library to minimize the risk of using vulnerable features and protect their applications from possible attacks.


Useful information for enthusiasts:

Contact me via Telegram: @ExploitDarlenePRO