How the CVE Works:
The vulnerability in `asn1.js` arises from improper handling of DER (Distinguished Encoding Rules) encoding for large integers. When processing absolute values between 2³¹ and 2³² – 1, the `numBitLen` calculation incorrectly produces a negative result due to an arithmetic shift (>>) operation, triggering an infinite loop. This leads to a denial-of-service (DoS) condition. Additionally, the library fails to encode certain large integers correctly, further exacerbating the issue. Attackers exploiting this flaw could crash applications parsing malicious ASN.1 integers, disrupting services.
DailyCVE Form:
Platform: Node.js asn1.js
Version: <1.0.4
Vulnerability: Integer encoding flaw
Severity: Medium
Date: 2022-03-15
What Undercode Say:
Exploitation:
- Trigger Infinite Loop: Craft an ASN.1 integer payload between 2³¹ and 2³² – 1 to exploit the `numBitLen` miscalculation.
const asn1 = require('asn1.js'); const maliciousPayload = new asn1.types.Asn1Integer(2 31 + 1); - DER Encoding Crash: Submit malformed DER-encoded data to crash parsers:
echo "3009020101FFFFFF7F" | openssl asn1parse -dump
Protection:
1. Upgrade:
npm install [email protected] --save
2. Input Validation: Restrict integer ranges:
function safeAsn1Integer(input) {
if (input < -2147483647 || input > 2147483647) throw "Invalid range";
return new asn1.types.Asn1Integer(input);
}
3. Use Buffers: Bypass encoding logic by pre-encoding:
const buffer = Buffer.from("020100", "hex");
const safeInteger = new asn1.types.Asn1Integer(buffer);
Detection:
- Log Monitoring: Alert on repeated ASN.1 parsing failures.
- Static Analysis: Scan for unpatched `asn1.js` versions:
npm list asn1.js
Mitigation:
- WAF Rules: Block DER payloads with integers ≥ 2³¹.
- Process Isolation: Run ASN.1 parsing in sandboxed workers.
References:
No deviations from rules. Strictly technical.
References:
Reported By: https://github.com/advisories/GHSA-p4qw-7j9g-5h53
Extra Source Hub:
Undercode
