GMS-2022-9: Incorrect validation of parties IDs leaks secret keys in Secret-sharing scheme

January 6, 2022

In the threshold signature scheme, participants start by dividing secrets into shares using a secret sharing scheme. The Verifiable Secret Sharing scheme generates shares from the user’s IDs but does not properly validate them. Using a malicious ID will make other users reveal their secrets during the secret-sharing procedure. In addition, a second issue resulting from lack of validation could cause nodes to crash when sent maliciously formed user IDs.

References

github.com/advisories/GHSA-gp6j-vx54-5pmf
github.com/keep-network/keep-ecdsa/releases/tag/v1.8.1
github.com/keep-network/keep-ecdsa/security/advisories/GHSA-gp6j-vx54-5pmf

Code Behaviors & Features

Detect and mitigate GMS-2022-9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →