Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseGHSA-gp6j-vx54-5pmf
GHSA-gp6j-vx54-5pmf:
vulnerability analysis and mitigation
Overview
A critical vulnerability was discovered in the keep-network/keep-ecdsa package affecting versions prior to 1.8.1. The issue lies in the threshold signature scheme's implementation of the Verifiable Secret Sharing (VSS) scheme, where improper validation of party IDs could lead to secret key exposure. The vulnerability was discovered and reported by Trail of Bits on December 6, 2021, and was patched in version 1.8.1 released on December 15, 2021 (GitHub Advisory).
Technical details
The vulnerability stems from insufficient validation of party IDs in the secret-sharing procedure. While there was a check to ensure party IDs were non-zero, this check wasn't performed modulo the curve order. This allowed an attacker to set their ID equal to the order of the elliptic curve, which would evaluate to 0 during polynomial evaluation modulo the curve order. Additionally, the implementation lacked proper verification for modularly equal user IDs. The vulnerability existed in the binance-chain/tss-lib codebase that keep-network/keep-ecdsa utilizes for generating secret shares (GitHub Advisory).
Impact
The vulnerability could allow malicious actors to reveal other users' secrets during the secret-sharing procedure. When exploited, a party with an ID equal to the order of the curve would receive the secret key as its share. Furthermore, maliciously formed user IDs could cause nodes to crash during key generation or resharing processes (GitHub Advisory).
Mitigation and workarounds
The vulnerability was patched in version 1.8.1 of keep-network/keep-ecdsa. The fix ensures proper validation of party IDs by implementing checks that verify all indexes are non-zero, non-zero modulo the curve order, and unique modulo the curve order. Users are strongly advised to upgrade to version 1.8.1 or later (Keep ECDSA Release).
Community reactions
The vulnerability was initially discovered and reported by Trail of Bits, leading to a coordinated response involving both the Keep Network team and Binance. The disclosure was managed carefully with an extended embargo period to allow affected projects time to update their dependencies (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management