jsrsasign Incomplete Comparison Vulnerability in Random Big Integer Functions Leading to DSA Nonce Bias

A vulnerability exists in the jsrsasign package, specifically in versions 7.0.0 prior to 11.1.1. The issue arises from an incomplete comparison in the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions within the crypto-1.1.js file. This flaw allows an attacker to recover private keys by exploiting the faulty comparison logic, which accepts out-of-range values and skews DSA nonce distribution during signature creation.

Impact

The vulnerability causes a non-uniform distribution of DSA nonces, introducing a bias that could be exploited to recover private keys, particularly through lattice-based attacks after collecting enough biased signatures.

Reproduction

The vulnerability can be reproduced by mocking the random number generator to produce out-of-range values, which the vulnerable functions will accept. This can be done using a script that simulates the faulty comparison behavior and collects DSA signatures to demonstrate the bias in nonce generation.

Remediation

Users are advised to upgrade jsrsasign to version 11.1.1 or later.