{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cbor-extract/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fido2-lib"],"_cs_severities":["high"],"_cs_tags":["fido2-lib","cbor-extract","denial-of-service","webauthn"],"_cs_type":"advisory","_cs_vendors":["fido2-lib"],"content_html":"\u003cp\u003eThe \u003ccode\u003efido2-lib\u003c/code\u003e library, specifically versions 3.x, is susceptible to a denial-of-service (DoS) vulnerability due to a heap buffer over-read within its dependency, \u003ccode\u003ecbor-extract\u003c/code\u003e. This vulnerability arises during the parsing of CBOR (Concise Binary Object Representation) attestation data within the WebAuthn registration process. The root cause lies in the \u003ccode\u003ecbor-extract\u003c/code\u003e library (versions \u0026lt;= 2.2.0), which is optionally used by \u003ccode\u003ecbor-x\u003c/code\u003e (~1.6.0), a dependency of \u003ccode\u003efido2-lib\u003c/code\u003e. A crafted 5-byte CBOR payload, when processed, triggers a \u003ccode\u003eSIGSEGV\u003c/code\u003e signal, causing the Node.js process to crash without any JavaScript exception handling. This issue was fixed in \u003ccode\u003ecbor-extract@2.2.1\u003c/code\u003e / \u003ccode\u003ecbor-x@1.6.3\u003c/code\u003e (released on 2026-03-08), but \u003ccode\u003efido2-lib@3.5.7\u003c/code\u003e still pins \u003ccode\u003ecbor-x\u003c/code\u003e to a vulnerable version. This vulnerability is exploitable through a single, unauthenticated request to the WebAuthn registration endpoint.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker initiates a WebAuthn registration process on a vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe server generates a challenge and sends it to the user's authenticator.\u003c/li\u003e\n\u003cli\u003eAttacker intercepts the authenticator's registration response (containing the attestation object).\u003c/li\u003e\n\u003cli\u003eAttacker replaces the original \u003ccode\u003eattestationObject\u003c/code\u003e in the response with a crafted 5-byte CBOR payload: \u003ccode\u003e7a10000000\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends the modified registration response to the server's registration verification endpoint via a POST request.\u003c/li\u003e\n\u003cli\u003eThe server calls the \u003ccode\u003eattestationResult()\u003c/code\u003e function in \u003ccode\u003efido2-lib\u003c/code\u003e to verify the attestation.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eattestationResult()\u003c/code\u003e internally calls \u003ccode\u003ecbor-x.decode()\u003c/code\u003e to parse the \u003ccode\u003eattestationObject\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecbor-x.decode()\u003c/code\u003e uses the vulnerable \u003ccode\u003ecbor-extract\u003c/code\u003e native addon, which calls \u003ccode\u003eextractStrings()\u003c/code\u003e during CBOR parsing, leading to a heap buffer over-read and a \u003ccode\u003eSIGSEGV\u003c/code\u003e signal, crashing the Node.js process. The attacker achieves denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, crashing the Node.js server. While the exact number of affected systems is unknown, any application using \u003ccode\u003efido2-lib\u003c/code\u003e versions up to 3.5.7 with the \u003ccode\u003ecbor-extract\u003c/code\u003e native addon installed is vulnerable. This can impact any service relying on WebAuthn for authentication, including financial institutions, SaaS providers, and any application requiring strong authentication. A successful attack disrupts service availability and potentially exposes the organization to reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecbor-x\u003c/code\u003e dependency in \u003ccode\u003efido2-lib\u003c/code\u003e to version 1.6.3 or higher to incorporate the fix for the heap buffer over-read, as described in the \u0026quot;Fix\u0026quot; section of this brief.\u003c/li\u003e\n\u003cli\u003eMonitor Node.js processes for unexpected exits with signal \u003ccode\u003eSIGSEGV\u003c/code\u003e (exit code 139) to detect potential exploitation attempts, using the process creation log source.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the WebAuthn registration endpoint to mitigate the impact of potential DoS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-fido2lib-dos/","summary":"The fido2-lib library is vulnerable to a denial-of-service (DoS) attack due to a heap buffer over-read in the cbor-extract dependency when parsing CBOR attestation data, allowing an attacker to crash the server by sending a crafted CBOR payload during WebAuthn registration.","title":"fido2-lib Denial-of-Service Vulnerability via CBOR Parsing","url":"https://feed.craftedsignal.io/briefs/2024-07-fido2lib-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Cbor-Extract","version":"https://jsonfeed.org/version/1.1"}