Deno, AES-GCM Authentication Bypass, CVE-2023-XXXX (Critical)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works

This vulnerability affects Deno’s implementation of AES-256-GCM and AES-128-GCM encryption, introduced in commit 0d1beed. The flaw lies in the missing validation of the authentication tag during decryption. Normally, AES-GCM ensures both confidentiality and integrity by verifying the authentication tag before decrypting data. However, in affected Deno versions, manipulated ciphertexts or incorrect keys bypass verification, effectively reducing AES-GCM to CTR mode—eliminating integrity protection.
The `set_aad` (Additional Authenticated Data) feature is also impacted since its hash (ghash) is not validated, making AAD checks useless. Attackers can tamper with encrypted data without detection, leading to potential decryption oracle attacks or data corruption.

DailyCVE Form

Platform: Deno
Version: Post-commit 0d1beed
Vulnerability: Auth-tag bypass
Severity: Critical
Date: 2023-XX-XX

Prediction: Patch by Q3 2024

What Undercode Say:

Exploitation Analysis

1. Tampering Ciphertext: Modify encrypted payloads without triggering errors.
2. Key Brute-Forcing: Invalid keys may decrypt data partially.

3. AAD Manipulation: Forged additional data bypasses checks.

Detection Commands

Check Deno version for vulnerability
deno --version | grep "commit 0d1beed"

Mitigation Code

// Manual auth-tag verification workaround
function safeDecrypt(enc, key) {
const dec = createDecipheriv("aes-256-gcm", key, Buffer.from(enc.iv, "binary"));
dec.setAuthTag(Buffer.from(enc.authTag, "binary"));
try {
const out = dec.update(enc.enc, "binary", "binary") + dec.final("binary");
return out;
} catch (e) {
throw new Error("Auth-tag validation failed");
}
}

Patch Verification

Post-patch, decryption should throw:
deno run --allow-all poc.js | grep "Unsupported state"

Attack Simulation

// PoC: Force-decrypt tampered ciphertext
const maliciousEnc = { ...test, enc: "tampered" };
await decrypt(maliciousEnc, ""); // Silently succeeds

Network Monitoring

Detect anomalous GCM traffic (no auth-tag errors)
tcpdump -i eth0 'port 443' | grep "GCM" | grep -v "ERR"

References

• NIST SP 800-38D (GCM Requirements)
• Deno Crypto API Docs

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram