Skip to content

x/vulndb: potential Go vuln in github.com/binance-chain/tss-lib: GHSA-c58h-qv6g-fw74 #3452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Feb 5, 2025 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/binance-chain/tss-lib: GHSA-c58h-qv6g-fw74 #3452

GoVulnBot opened this issue Feb 5, 2025 · 2 comments
Labels
duplicate triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-c58h-qv6g-fw74 references a vulnerability in the following Go modules:

Module
github.com/binance-chain/tss-lib
github.com/bnb-chain/tss-lib
github.com/bnb-chain/tss-lib/v2

Description:
An issue was discovered in IO FinNet tss-lib before 2.0.0. The parameter ssid for defining a session id is not used through the MPC implementation, which makes replaying and spoofing of messages easier. In particular, the Schnorr proof of knowledge implemented in sch.go does not utilize a session id, context, or random nonce in the generation of the challenge. This could allow a malicious user or an eavesdropper to replay a valid proof sent in the past.

References:

!! Possible duplicate report !!

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/binance-chain/tss-lib
      vulnerable_at: 1.3.5
    - module: github.com/bnb-chain/tss-lib
      vulnerable_at: 1.3.5
    - module: github.com/bnb-chain/tss-lib/v2
      versions:
        - fixed: 2.0.0
summary: IO FinNet tss-lib vulnerable to replay attacks involving proofs in github.com/binance-chain/tss-lib
cves:
    - CVE-2022-47930
ghsas:
    - GHSA-c58h-qv6g-fw74
references:
    - advisory: https://github.com/advisories/GHSA-c58h-qv6g-fw74
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-47930
    - fix: https://github.com/bnb-chain/tss-lib/commit/1a14f3ac9ecbf6115e80d44c7fff16bcc3139250
    - fix: https://github.com/bnb-chain/tss-lib/pull/256
    - web: https://github.com/IoFinnet/tss-lib/releases/tag/v2.0.0
    - web: https://medium.com/@iofinnet/security-disclosure-for-ecdsa-and-eddsa-threshold-signature-schemes-4e969af7155b
notes:
    - fix: 'github.com/bnb-chain/tss-lib/v2: could not add vulnerable_at: could not find tagged version between introduced and fixed'
source:
    id: GHSA-c58h-qv6g-fw74
    created: 2025-02-05T20:01:25.827464277Z
review_status: UNREVIEWED
@tatianab
Copy link
Contributor

tatianab commented Feb 5, 2025

Duplicate of #1867

@tatianab tatianab marked this as a duplicate of #1867 Feb 5, 2025
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/647255 mentions this issue: data/reports: update GO-2023-1867

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot