Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571)

Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and verificatio...

Click to view the original at

Hasnain says:

Yikes. Goes to show how rolling your crypto is always hard and how you must always carefully follow the spec (the spec mandated checking for this case...)

"Therefore, a signature (r, s) = (0, 0) is deemed valid by the code for any message, and under any public key."

Posted on 2021-11-11T00:12:37+0000