#VU26887 Security Features in MSR JavaScript Cryptography Library
Vulnerability identifier: #VU26887
Vulnerability risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-254
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MSR JavaScript Cryptography Library
Universal components / Libraries /
Libraries used by multiple products
Vendor: Microsoft
Description
This vulnerability allows a local user to bypass security rescritions feature.
The vulnerability exists in the MSR JavaScript Cryptography Library due to multiple bugs in the library’s Elliptic Curve Cryptography (ECC) implementation. A remote attacker can gain information about a server’s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
MSR JavaScript Cryptography Library: All versions
External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
