<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Fido2-Lib - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/fido2-lib/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jul 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/fido2-lib/feed.xml" rel="self" type="application/rss+xml"/><item><title>fido2-lib Denial-of-Service Vulnerability via CBOR Parsing</title><link>https://feed.craftedsignal.io/briefs/2024-07-fido2lib-dos/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-fido2lib-dos/</guid><description>The fido2-lib library is vulnerable to a denial-of-service (DoS) attack due to a heap buffer over-read in the cbor-extract dependency when parsing CBOR attestation data, allowing an attacker to crash the server by sending a crafted CBOR payload during WebAuthn registration.</description><content:encoded><![CDATA[<p>The <code>fido2-lib</code> library, specifically versions 3.x, is susceptible to a denial-of-service (DoS) vulnerability due to a heap buffer over-read within its dependency, <code>cbor-extract</code>. This vulnerability arises during the parsing of CBOR (Concise Binary Object Representation) attestation data within the WebAuthn registration process. The root cause lies in the <code>cbor-extract</code> library (versions &lt;= 2.2.0), which is optionally used by <code>cbor-x</code> (~1.6.0), a dependency of <code>fido2-lib</code>. A crafted 5-byte CBOR payload, when processed, triggers a <code>SIGSEGV</code> signal, causing the Node.js process to crash without any JavaScript exception handling. This issue was fixed in <code>cbor-extract@2.2.1</code> / <code>cbor-x@1.6.3</code> (released on 2026-03-08), but <code>fido2-lib@3.5.7</code> still pins <code>cbor-x</code> to a vulnerable version. This vulnerability is exploitable through a single, unauthenticated request to the WebAuthn registration endpoint.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker initiates a WebAuthn registration process on a vulnerable server.</li>
<li>The server generates a challenge and sends it to the user's authenticator.</li>
<li>Attacker intercepts the authenticator's registration response (containing the attestation object).</li>
<li>Attacker replaces the original <code>attestationObject</code> in the response with a crafted 5-byte CBOR payload: <code>7a10000000</code>.</li>
<li>Attacker sends the modified registration response to the server's registration verification endpoint via a POST request.</li>
<li>The server calls the <code>attestationResult()</code> function in <code>fido2-lib</code> to verify the attestation.</li>
<li><code>attestationResult()</code> internally calls <code>cbor-x.decode()</code> to parse the <code>attestationObject</code>.</li>
<li><code>cbor-x.decode()</code> uses the vulnerable <code>cbor-extract</code> native addon, which calls <code>extractStrings()</code> during CBOR parsing, leading to a heap buffer over-read and a <code>SIGSEGV</code> signal, crashing the Node.js process. The attacker achieves denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in a denial-of-service condition, crashing the Node.js server. While the exact number of affected systems is unknown, any application using <code>fido2-lib</code> versions up to 3.5.7 with the <code>cbor-extract</code> native addon installed is vulnerable. This can impact any service relying on WebAuthn for authentication, including financial institutions, SaaS providers, and any application requiring strong authentication. A successful attack disrupts service availability and potentially exposes the organization to reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>cbor-x</code> dependency in <code>fido2-lib</code> to version 1.6.3 or higher to incorporate the fix for the heap buffer over-read, as described in the &quot;Fix&quot; section of this brief.</li>
<li>Monitor Node.js processes for unexpected exits with signal <code>SIGSEGV</code> (exit code 139) to detect potential exploitation attempts, using the process creation log source.</li>
<li>Implement rate limiting on the WebAuthn registration endpoint to mitigate the impact of potential DoS attacks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>fido2-lib</category><category>cbor-extract</category><category>denial-of-service</category><category>webauthn</category></item></channel></rss>