GMS-2021-43: Signature verification vulnerability in Stark Bank ecdsa libraries

November 8, 2021

An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.

References

github.com/advisories/GHSA-9wx7-jrvc-28mm
github.com/starkbank/ecdsa-dotnet
github.com/starkbank/ecdsa-java
github.com/starkbank/ecdsa-node
github.com/starkbank/ecdsa-python/releases/tag/v2.0.1
research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/

Code Behaviors & Features

Detect and mitigate GMS-2021-43 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →