~/Bitcoin-Vulnerabilities$ ./attacksafe pkcs_v1.5_implementation_vulnerability_cve-2016-2183.sage
Vulnerability in the implementation of PKCS#1 v1.5 (CVE-2016-2183)
In 2016, another vulnerability was discovered related to the implementation of the PKCS#1 v1.5 standard in PyCrypto. It allowed attackers to recover encrypted data without knowing the encryption key. This issue affected both symmetric and asymmetric encryption. The developers were forced to urgently fix this vulnerability in the next update.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe rsa_implementation_vulnerability_cve-2013-7459.sage
Vulnerability in the implementation of RSA (CVE-2013-7459)
In 2013, a serious vulnerability was discovered in the implementation of the RSA algorithm in PyCrypto. The problem was that RSA keys were generated insecurely, making them easily recoverable by attackers. This compromised the confidentiality and integrity of data protected with vulnerable keys. The developers had to urgently release an update that corrects this critical error.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe vulnerability_crash_during_verification.sage
Vulnerability Crash during testing
“Verification Crash” bug (September 2021): This bug caused the application to crash when verifying some specially crafted signatures. The problem was caused by incorrect exception handling during verification. Although this bug had no direct security implications, it could be used in denial of service attacks, causing applications using the library to crash. The developers have released a fix that improves exception handling.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe vulnerability_curve_mismatch.sage
Curve Mismatch Vulnerability (May 2021): This vulnerability allowed an attacker to forge a signature by manipulating the elliptic curve parameters. The problem was that the library did not always correctly handle cases where curve parameters other than those for which the key pair was generated were used. This could lead to the creation of invalid signatures that were nonetheless verified. The developers have released an update that added additional verification of curve parameters during the signing process.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe signature_verification_bug_vulnerability_null_value_r.sage
Signature Verification Failure Vulnerability Null R Value
“Null R value” error (January 2020): This error was related to signature verification. In some cases, the signature check function could return true for invalid signatures containing a null R value (one of the coordinates of a point on an elliptic curve). This issue was caused by a bug in the verification logic and could potentially allow an attacker to forge a valid signature. The developers quickly released a fix, correcting the verification logic.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe vulnerability_curve-swap.sage
Curve-Swap vulnerability
In August 2019, a “Curve-Swap” vulnerability discovered by researchers at the University of Birmingham allowed an attacker to forge a digital signature by altering the ellipse curve used to generate keys. The vulnerability was due to insufficient validation of curve parameters during the signing process. As a result, a library update was released with a fix that strengthened the curve parameter checking.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe vulnerability_cve-2020-16869.sage
Vulnerability CVE-2020-16869
Several other serious problems. For example, CVE-2020-16869 allowed an attacker to cause a denial of service (DoS) in applications using a vulnerable version of the library, while CVE-2021-38098 and CVE-2021-38099 were related to improper handling of special data and could also lead to the execution of arbitrary code.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe vulnerability_cve-2021-38099.sage
Vulnerability CVE-2020-16869
Several other serious problems. For example, CVE-2020-16869 allowed an attacker to cause a denial of service (DoS) in applications using a vulnerable version of the library, while CVE-2021-38098 and CVE-2021-38099 were related to improper handling of special data and could also lead to the execution of arbitrary code.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe vulnerability_in_genkey_cve-2021-20263.sage
Vulnerability in the genKey method incorrectly generated encryption keys CVE-2021-20263
A serious bug was found in March 2021 and is described in CVE-2021-20263. It affected the genKey method, which was not generating encryption keys correctly. Because of this bug, keys could be weak or even public, allowing an attacker to decrypt encrypted data or perform other malicious actions.
####################################################
~/Bitcoin-Vulnerabilities$ ./attacksafe parsedkgresponse_function_mishandling_vulnerability_cve-2020-16868.sage
Incorrect data handling vulnerability in ParseDKGResponse function CVE-2020-16868
One of the most serious vulnerabilities was discovered in June 2020 and received the number CVE-2020-16868. It allowed a remote attacker to execute arbitrary code on the victims computer if the victim used a vulnerable version of the library in her application. The vulnerability was due to improper data handling in the ParseDKGResponse function, which did not validate the input data. This allowed the attacker to send specially crafted messages that led to the execution of malicious code.
####################################################
