Denial of Service in latest version [1.2.3]

[findneo]

Please confirm if it is vulnerable.
Mitre id: CVE-2020-7226
Reporter: findneo

[Suggested description]
CiphertextHeader.java in
Cryptacular 1.2.3, as used in Apereo CAS and other products, allows
attackers to trigger excessive memory allocation during a decode
operation, because the nonce array length associated with "new byte" may
depend on untrusted input within the header of encoded data.

---

[Additional Information]
any encoded network communication based on
org.cryptacular.CiphertextHeader#decode(byte[]) is affected. xxx of
new byte[xxx] can be controlled by client and can be up to 0x7ffffffd
,which caused 2G of memory consuming without demanding for any
privilege.

one of the products using this vuln code is cas4.2.0.
login flow of cas4.2.0 based on
org.cryptacular.CiphertextHeader#decode(byte[]) ,Concretely
speaking,the affected code is
org.jasig.spring.webflow.plugin.EncryptedTranscoder#decode

besides,codebase for cas4.2.0 is apereo/cas-overlay-template@7eaf9d7

---

[VulnerabilityType Other]
Denial of Service

---

[Vendor of Product]
http://www.cryptacular.org/

---

[Affected Product Code Base]
cryptacular - 1.2.3

---

[Affected Component]
org.cryptacular.CiphertextHeader#decode(byte[]) ,
https://github.com/vt-middleware/cryptacular/blob/master/src/main/java/org/cryptacular/CiphertextHeader.java#L153

---

[Attack Type]
Remote

---

[Impact Denial of Service]
true

---

[Attack Vectors]
a crafted header of encoded data.
e.g '\x00\x00\x00\x34\x7f\xff\xff\xfd'

[serac]

Confirmed. We're analyzing feasibility of a backward-compatible patch and will follow up with release schedule shortly.

[serac]

Resolved by #53.

[ManjunathMS35]

Hi,

When is the fixed version planned to be released? and is there a plan to backport this patch to 1.1.x version?

Thanks,
Manjunath

[dfish3r]

I'm hoping for a release in the next week. Have you done any testing with the latest snapshot?

[dfish3r]

1.2.4 has been released.