Improper ECDSA Signature Validation Allowing For Arbitrary Signature Forgery [CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571]

We discussed this vulnerability as part of our weekly podcast on 16 November 2021

Stark Bank maintains two libraries “starkbank-ecdsa” one for Python and one for Node which insecurely implement the ECDSA signature verification method. The issue stems from two problems:

  1. The range of r and s is not checked ((r,s) is the ECDSA signature) to ensure valid values are used.
  2. In calculating the multiplicative inverse the result for 0 is 0 whereas it should be undefined.

This two issues combine to mean that a signature of (0,0) will validate for any message/key.