pbkdf2 Improper Input Validation Vulnerability Allowing Signature Spoofing

A vulnerability in the pbkdf2 library, specifically in versions through 3.1.2, has been identified. This issue arises from improper input validation, which allows for signature spoofing. The vulnerability is particularly relevant for users on Node.js versions prior to 3.0.0, as the pbkdf2 library incorrectly handles Uint8Array inputs by returning static, meaningless hashes instead of properly derived keys. This flaw can undermine the security of applications by allowing the use of predictable, static values as cryptographic keys.

Impact

Exploitation of this vulnerability leads to the generation of static hashes that can be used as keys or passwords, undermining the security of cryptographic operations. In the context of Node.js versions prior to 3.0.0, this could result in significant security vulnerabilities, as applications may rely on these static values for critical functions.

Reproduction

To reproduce this vulnerability, use the pbkdf2 library version through 3.1.2 on Node.js or io.js versions prior to 3.0.0. Call the pbkdf2Sync function with a Uint8Array as the password and salt. The function will return a hash that is identical to the hash produced from an empty password and salt, demonstrating that the library has disregarded the input.

Remediation

Users can update to pbkdf2 version 3.1.3, which addresses the input validation issue. However, for those who have used the vulnerable version on Node.js or io.js versions prior to 3.0.0, it is important to review where the generated static keys or hashes were used and take appropriate action.