Improper ECDSA Signature Validation Allowing For Arbitrary Signature Forgery [CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571]

15 November 2021

Improper ECDSA Signature Validation Allowing For Arbitrary Signature Forgery [CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571]

vuln crypto

Original Post:

Arbitrary Signature Forgery in Stark Bank ECDSA Libraries [CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571]

We discussed this vulnerability during Episode 99 on 15 November 2021

Stark Bank maintains two libraries “starkbank-ecdsa” one for Python and one for Node which insecurely implement the ECDSA signature verification method. The issue stems from two problems:

The range of r and s is not checked ((r,s) is the ECDSA signature) to ensure valid values are used.
In calculating the multiplicative inverse the result for 0 is 0 whereas it should be undefined.

This two issues combine to mean that a signature of (0,0) will validate for any message/key.