Security restrictions bypass in MSR JavaScript Cryptography Library

#VU13791 Security restrictions bypass in MSR JavaScript Cryptography Library

Published: 2018-07-10 | Updated: 2018-07-10

Vulnerability identifier: #VU13791

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-8319

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MSR JavaScript Cryptography Library
Universal components / Libraries / Libraries used by multiple products

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists in MSR JavaScript Cryptography Library due to incorrect arithmetic computations. A remote unauthenticated attacker can craft a signature, without the need of the corresponding key, and mimic the entity associated with the public/private key pair to bypass security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MSR JavaScript Cryptography Library: All versions

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8319

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in Microsoft Research JavaScript Cryptography Library