Sweet B Incorrect Output Vulnerabilities


WDC Tracking Number: WDC-22013
Product Line: Sweet B
Published: July 29, 2022

Last Updated: July 29, 2022

Description

The Sweet B cryptographic library was found to generate incorrect output under certain conditions. When compressing or decompressing elliptic curve points, an incorrect choice of sign bit is used, resulting in incorrect output. The handling of the NIST P-256 curve point with X coordinate of zero is incorrect, resulting in unreduced output from some operations, and an error return in other scenarios. Additionally, when an error is returned as a result of processing this curve point, a value is written to the output buffer prior to signaling the error, which may affect applications which do not properly check for error returns. An attacker may be able to leverage any of these vulnerabilities to cause an error scenario in an application which uses Sweet B. The vulnerabilities were identified by Western Digital during improvements to unit testing.

Product Impact
Minimum Fix Version
Last Updated
Sweet B
v2
July 29, 2022

Update Availability/Remediation

Fixes for these issues are available at https://github.com/westerndigitalcorporation/sweet-b in Sweet B tag “v2” and later revisions. Western Digital recommends that application developers update their library as soon as possible. Developers of applications which use Sweet B should examine their use of the vulnerable point compression/decompression, shared secret, and multiplication routines to determine how these vulnerabilities may affect their application. Application developers should also ensure that handling of library errors is consistent and that output buffers are not used by the application if an error is returned from a library routine.

Advisory Summary

When compressing or decompressing elliptic curve points using Sweet B, an incorrect choice of sign bit is used. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in denial of service. The vulnerability was addressed by correcting the choice of sign bit in the affected routines.

CVE Number: CVE-2022-23001

When compressing or decompressing a point on the NIST P-256 elliptic curve with an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output will cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in denial of service. The vulnerability was addressed by fully reducing the output modulo the field prime.

CVE Number: CVE-2022-23002

When computing a shared secret or point multiplication on the NIST P-256 curve that results in an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output may cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario or incorrect choice of session key in applications which use the library, resulting in denial of service. The vulnerability was addressed by fully reducing the output modulo the field prime.

CVE Number: CVE-2022-23003

When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in denial of service. The vulnerability was addressed by improving the point-scalar multiplication algorithm to account for anomalous input and by ensuring that errors are returned from library routines before any output buffer is written.

CVE Number: CVE-2022-23004