CVE-2020-14968 : Security Advisory and Response

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature, allowing attackers to create multiple valid signatures and potentially trigger memory corruption issues.

Understanding CVE-2020-14968

This CVE involves a vulnerability in the RSASSA-PSS implementation of the jsrsasign package for Node.js.

What is CVE-2020-14968?

The vulnerability allows attackers to manipulate signatures by adding '\0' bytes, leading to the acceptance of modified signatures as valid.

The Impact of CVE-2020-14968

Attackers can create multiple valid signatures where only one should exist
Possibility of triggering memory corruption issues

Technical Details of CVE-2020-14968

This section provides more technical insights into the CVE.

Vulnerability Description

The RSASSA-PSS implementation in the jsrsasign package fails to detect signature manipulation through the addition of '\0' bytes.

Affected Systems and Versions

Product: Not applicable
Vendor: Not applicable
Versions affected: Before 8.0.17

Exploitation Mechanism

Attackers can abuse the vulnerability by creating modified signatures with added '\0' bytes.

Mitigation and Prevention

Protecting systems from CVE-2020-14968 requires immediate actions and long-term security practices.

Immediate Steps to Take

Update the jsrsasign package to version 8.0.17 or later
Monitor for any unusual signature manipulations

Long-Term Security Practices

Regularly update software packages to patch known vulnerabilities
Implement signature verification mechanisms to detect manipulation

Patching and Updates

Update to jsrsasign version 8.0.17 or above to mitigate the vulnerability