Node-Forge Bleichenbacher-Style RSA Signature Forgery Vulnerability

A vulnerability in Node-Forge's RSASSA PKCS#1 v1.5 signature verification allows forgery of signatures for RSA keys with a low public exponent (e=3). This issue arises because the library fails to properly validate signatures, enabling attackers to manipulate the ASN.1 structure by adding extraneous bytes, thereby creating a signature that is incorrectly accepted as valid. The vulnerability is exacerbated by the fact that Node-Forge does not enforce the minimum padding requirements specified in RFC 8017, providing additional leeway for crafting forged signatures. This vulnerability affects Node-Forge versions prior to 1.4.0.

Impact

Exploitation of this vulnerability allows for the forgery of RSA signatures, which can undermine the integrity of digital signatures in applications that rely on RSA-based signature verification.

Reproduction

To reproduce this vulnerability, use Node.js and clone the Node-Forge repository. After checking out a commit prior to the patch (v1.3.3), run a script that generates an RSA key pair with a public exponent of 3. The script should create a valid signature using the key, then generate a forged signature by exploiting the vulnerability. Finally, verify both signatures using Node-Forge's verification method and compare the results.

Remediation

Users can upgrade to Node-Forge version 1.4.0 or later, where this vulnerability has been patched.