CVE-2021-41117

Name of the Vulnerable Software and Affected Versions keypair versions up to and including 1.0.3

Description The keypair library, a JavaScript RSA PEM key generator, has a poor random number generation issue. This is due to the library not relying entirely on a platform-provided CSPRNG and instead using its own counter-based CMAC approach. The issue arises when seeding the CMAC implementation with "true" random data in the defaultSeedFile function. In a browser, the library uses window.crypto.getRandomValues(), but in a NodeJS environment, it falls back to a less secure solution with a bug. The fallback path uses a Lehmer LCG random number generator seeded with Math.random, which is poor and does not explain the high frequency of duplicate keys. The main flaw is the incorrect encoding of the Lehmer LCG output, resulting in most of the buffer containing zeros. This leads to a 97% chance of each byte in the RNG seed being 0, making the generated RSA keys relatively easy to guess. An attacker could decrypt confidential messages or gain authorized access to an account belonging to the victim.

Recommendations For keypair versions up to and including 1.0.3, update to a version that includes the fix for the poor random number generation issue, as the fix is available in commit 9596418. If the crypto module is available, it will be used instead of the pseudo-random number generator. As a temporary workaround, consider regenerating any RSA keys that were generated using the affected versions of keypair.