node-forge Integer Overflow Vulnerability Allowing OID Spoofing

An integer overflow vulnerability has been identified in node-forge versions through 1.3.1. This vulnerability allows remote, unauthenticated attackers to create ASN.1 structures with oversized object identifiers (OIDs). The manipulation takes advantage of 32-bit bitwise truncation, causing the OIDs to be incorrectly interpreted as smaller, trusted values. As a result, security decisions based on OIDs can be bypassed. This issue has been addressed in version 1.3.2.

Impact

Exploitation of this vulnerability allows for the spoofing of OIDs in ASN.1 structures. A malicious certificate containing a large, invalid OID could be misrepresented as a legitimate, trusted OID, potentially circumventing security measures that rely on OID validation. This vulnerability could lead to a partial compromise of integrity, with possible repercussions for availability and confidentiality in affected applications.

Reproduction

The vulnerability can be reproduced by using the node-forge library version 1.3.1 or earlier. When the 'asn1.derToOid' function is called with an OID arc integer larger than 2^32-1, the value will overflow and wrap around, instead of being rejected as invalid. This behavior can be tested by crafting an ASN.1 structure with an oversized OID and observing how it is decoded.

Remediation

Users can upgrade to node-forge version 1.3.2 or later, where this vulnerability has been fixed.