Deno AES-GCM Authentication Tag Validation Vulnerability

A vulnerability exists in Deno versions 1.46.0 through 2.1.6, where the authentication tags for AES-256-GCM and AES-128-GCM encryption are not properly validated. This oversight allows tampered ciphertexts or incorrect keys to go undetected, undermining the integrity guarantees that AES-GCM is supposed to provide. In contrast, older Deno versions and Node.js correctly handled such errors. The lack of authentication tag verification causes AES-GCM to function similarly to CTR mode, stripping away its integrity protection. This issue also affects authenticated data processed with 'set_aad', as that data is included in the GCM hash but not validated, rendering AAD checks ineffective.

Impact

The vulnerability allows for the use of tampered ciphertexts or incorrect keys without detection, breaking the integrity guarantees of AES-GCM encryption. This could lead to unauthorized decryption of data or manipulation of encrypted information, as the absence of authentication tag validation allows for interception and alteration of ciphertexts without detection.

Reproduction

The vulnerability can be reproduced by using Deno versions 1.46.0 through 2.1.6 to encrypt data with AES-GCM, either 128 or 256 bit. After encryption, the authentication tag can be omitted or replaced with an incorrect value during decryption. The decryption process will not raise an error, demonstrating the lack of authentication validation. This issue can also be tested with data that has been authenticated using 'set_aad', which will similarly bypass AAD validation.

Remediation

Users can upgrade to Deno version 2.1.7 or later, where this vulnerability has been patched.