CVE-2022-47930: 
Linux openSUSE vulnerability analysis and mitigation

An issue was discovered in IO FinNet tss-lib before 2.0.0 that affects both ECDSA and EdDSA threshold signature schemes. The vulnerability (CVE-2022-47930) involves the parameter ssid for defining a session id, which is not properly utilized throughout the MPC implementation. This security flaw was discovered during an audit by Kudelski Security and was publicly disclosed on March 28, 2023 (IoFinnet Blog).

The vulnerability stems from the Fiat-Shamir transformation's challenge generation implementation. The challenge is computed as c = H(X.X() || X.Y() || g.X() || g.Y() || A.X() || A.Y()), but critically lacks a unique session identifier (SSID), context string, or random nonce. Specifically, the Schnorr proof of knowledge implemented in sch.go does not utilize these security elements in the generation of the challenge. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.8 (MEDIUM) with the vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability makes replaying and spoofing of messages easier within the system. A malicious user or an eavesdropper could potentially replay a valid proof that was sent in the past, compromising the security of the protocol. This could lead to unauthorized signing of transactions or manipulation of critical data, potentially causing financial or reputational damage to affected parties (IoFinnet Blog).

The issue has been fixed in version 2.0.0 of the tss-lib. The recommended mitigation involves enhancing the challenge generation in the Fiat-Shamir transformation by generating a unique session ID (SSID) and computing the challenge using a hash function that takes the SSID, public values, and the prover's commitment as inputs. The modified implementation should use rejection sampling with the computed challenge (IoFinnet Blog).