Janmojzis Tinyssh Ed25519 Signature Verification Vulnerability Allowing Signature Malleability

A signature malleability vulnerability exists in Janmojzis TinySSH versions through 20250501. The issue arises in the Ed25519 signature verification component, specifically within the file 'tinyssh/crypto_sign_ed25519_tinyssh.c'. The vulnerability stems from an improper verification of the cryptographic signature, as the implementation fails to fully validate the scalar 'S' during signature verification, in accordance with the requirements of RFC 8032. This oversight allows an attacker to manipulate a valid signature by adding multiples of the Ed25519 group order 'L' to the scalar 'S', creating a non-canonical signature that is still accepted as valid. While this does not directly compromise private keys, it undermines the uniqueness of signatures and can disrupt protocols that rely on signature integrity.

Impact

Exploitation of this vulnerability leads to malleable Ed25519 signatures, where a modified signature (S+L) is accepted as valid, breaking signature uniqueness and potentially causing issues in applications that depend on canonical signature representation.

Reproduction

The vulnerability can be reproduced by using the TinySSH Ed25519 verifier (the non-lib25519 path) to verify signatures. The verification process will incorrectly accept signatures where the scalar 'S' has been manipulated to be out of the canonical range, specifically by adding the subgroup order 'L' to 'S'. This can be automated with a proof-of-concept program that signs a message, creates a malleated signature by adding 'L' to 'S', and then verifies both the original and malleated signatures using the vulnerable TinySSH implementation.

Remediation

Users are advised to upgrade to Janmojzis TinySSH version 20260301, which includes the necessary fix for this vulnerability. The updated version is available on the TinySSH GitHub releases page.