CVE-2024-21669: Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
Impact
When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation document.proof was not factored into the final verified value (true/false) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly "verified": true:
{
"verified": true,
"presentation_result": {
"verified": false,
"document": {
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"type": [
"VerifiablePresentation"
],
"verifiableCredential": [
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/citizenship/v1"
],
"type": [
"VerifiableCredential",
"PermanentResident"
],
"issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
"issuanceDate": "2023-11-18",
"credentialSubject": {
"type": [
"PermanentResident"
],
"id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
"givenName": "Bob",
"familyName": "Builder",
"gender": "Male",
"birthCountry": "Bahamas",
"birthDate": "1958-07-17"
},
"proof": {
"type": "Ed25519Signature2018",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"created": "2023-11-18T21:39:56.988853+00:00",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
}
}
],
"proof": {
"type": "Ed25519Signature2018",
"proofPurpose": "authentication",
"verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
"created": "2023-11-18T21:39:59.188276+00:00",
"challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw"
}
},
"results": [
{
"verified": false,
"proof": {
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"type": "Ed25519Signature2018",
"proofPurpose": "authentication",
"verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
"created": "2023-11-18T21:39:59.188276+00:00",
"challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw"
},
"error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969",
"purpose_result": {
"valid": false,
"error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
}
}
],
"errors": [
"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
]
},
"credential_results": [
{
"verified": true,
"document": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/citizenship/v1"
],
"type": [
"VerifiableCredential",
"PermanentResident"
],
"issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
"issuanceDate": "2023-11-18",
"credentialSubject": {
"type": [
"PermanentResident"
],
"id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
"givenName": "Bob",
"familyName": "Builder",
"gender": "Male",
"birthCountry": "Bahamas",
"birthDate": "1958-07-17"
},
"proof": {
"type": "Ed25519Signature2018",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"created": "2023-11-18T21:39:56.988853+00:00",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
}
},
"results": [
{
"verified": true,
"proof": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/citizenship/v1"
],
"type": "Ed25519Signature2018",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"created": "2023-11-18T21:39:56.988853+00:00",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
},
"purpose_result": {
"valid": true,
"controller": {
"@context": "https://w3id.org/security/v2",
"id": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
"assertionMethod": [
"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1"
],
"authentication": [
{
"id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"type": "Ed25519VerificationKey2018",
"controller": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
"publicKeyBase58": "8dMkWKZxsK7vS8sR4XgS7gWvRawPp5TMYVFvnU2RyXqo"
}
],
"verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"https://www.w3.org/ns/did#service": {
"id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#did-communication",
"type": "did-communication",
"https://www.w3.org/ns/did#serviceEndpoint": {
"id": "http://alice:3000"
}
}
}
}
}
]
}
],
"errors": [
"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
]
}
The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.
This vulnerability has been present since the first implementation of support for JSON-LD W3C Verifiable Credential Data Model presentations, in Aries Cloud Agent Python release in 0.7.0.
All ACA-Py Users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability.
Patches
This issue has been patched in version 0.10.5 and fixed in 0.11.0.
Workarounds
There is no workaround other upgrading to a patched/fixed version of ACA-Py.
References
- github.com/advisories/GHSA-97x9-59rv-q5pm
- github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293
- github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2
- github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5
- github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0
- github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm
Code Behaviors & Features
Detect and mitigate CVE-2024-21669 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →