CVE-2019-11840
published 2019-05-09CVE-2019-11840: An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the…
PriorityP432medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
3.44%
87.5th percentile
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | golang-go.crypto | < golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bookworm) | golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bookworm) |
| golang.org | x_crypto | >= 0 < 0.0.0-20190320223903-b7391e95e576 | 0.0.0-20190320223903-b7391e95e576 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
vendor_redhat·2019-03-20·CVSS 5.9
CVE-2019-11840 [MEDIUM] CWE-330 golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
Package: gomtree (Red Hat Enterprise Linux 7) - Not affected
Package: gomtree (Red Hat Enterp
Debian
CVE-2019-11840: golang-go.crypto - An issue was discovered in the supplementary Go cryptography library, golang.org...
vendor_debian·2019·CVSS 5.9
CVE-2019-11840 [MEDIUM] CVE-2019-11840: golang-go.crypto - An issue was discovered in the supplementary Go cryptography library, golang.org...
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
Scope: local
bookworm: resolved (fixed in 1:0.0~git20200221.2aa609c-1)
bullseye: resolved (fixed in 1:0.0~git20200221.2aa609c-1)
forky: resolved (fixed in 1:0.0~git20200221.2aa609c-1
OSV
Insufficiently random values in golang.org/x/crypto/salsa20
osv·2022-07-01
CVE-2019-11840 Insufficiently random values in golang.org/x/crypto/salsa20
Insufficiently random values in golang.org/x/crypto/salsa20
XORKeyStream generates incorrect and insecure output for very large inputs.
If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
The issue might affect uses of golang.org/x/crypto/nacl with extremely large messages.
Architectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream invocation are unaffected.
OSV
golang.org/x/crypto/salsa20/salsa uses insufficiently random values
osv·2022-05-24
CVE-2019-11840 [MEDIUM] golang.org/x/crypto/salsa20/salsa uses insufficiently random values
golang.org/x/crypto/salsa20/salsa uses insufficiently random values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
### Specific Go Packages Affected
golang.org/x/crypto/salsa20/salsa
GHSA
golang.org/x/crypto/salsa20/salsa uses insufficiently random values
ghsa·2022-05-24
CVE-2019-11840 [MEDIUM] CWE-330 golang.org/x/crypto/salsa20/salsa uses insufficiently random values
golang.org/x/crypto/salsa20/salsa uses insufficiently random values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
### Specific Go Packages Affected
golang.org/x/crypto/salsa20/salsa
OSV
CVE-2019-11840: An issue was discovered in the supplementary Go cryptography library, golang
osv·2019-05-09·CVSS 5.9
CVE-2019-11840 [MEDIUM] CVE-2019-11840: An issue was discovered in the supplementary Go cryptography library, golang
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
bugzilla·2019-03-21·CVSS 5.9
CVE-2019-11840 [MEDIUM] CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: th
Bugzilla
CVE-2019-11840 source-to-image: golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
bugzilla·2019-03-21·CVSS 5.9
CVE-2019-11840 [MEDIUM] CVE-2019-11840 source-to-image: golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
CVE-2019-11840 source-to-image: golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit m
Bugzilla
CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [epel-all]
bugzilla·2019-03-21·CVSS 5.9
CVE-2019-11840 [MEDIUM] CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [epel-all]
CVE-2019-11840 golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
Bugzilla
CVE-2019-11840 gomtree: golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
bugzilla·2019-03-21·CVSS 5.9
CVE-2019-11840 [MEDIUM] CVE-2019-11840 gomtree: golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
CVE-2019-11840 gomtree: golang-googlecode-go-crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Bugzilla
CVE-2019-11840 golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
bugzilla·2019-03-21·CVSS 5.9
CVE-2019-11840 [MEDIUM] CVE-2019-11840 golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
CVE-2019-11840 golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
Upstream patch:
https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
References:
https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ
Discussion:
Created golang-googl
https://bugzilla.redhat.com/show_bug.cgi?id=1691529https://github.com/golang/go/issues/30965https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113dhttps://groups.google.com/forum/#%21msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJhttps://lists.debian.org/debian-lts-announce/2019/06/msg00029.htmlhttps://lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00030.htmlhttps://lists.debian.org/debian-lts-announce/2021/01/msg00015.htmlhttps://lists.debian.org/debian-lts-announce/2023/06/msg00017.htmlhttps://pkg.go.dev/vuln/GO-2022-0209https://bugzilla.redhat.com/show_bug.cgi?id=1691529https://github.com/golang/go/issues/30965https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113dhttps://groups.google.com/forum/#%21msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJhttps://lists.debian.org/debian-lts-announce/2019/06/msg00029.htmlhttps://lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00030.htmlhttps://lists.debian.org/debian-lts-announce/2021/01/msg00015.htmlhttps://lists.debian.org/debian-lts-announce/2023/06/msg00017.htmlhttps://pkg.go.dev/vuln/GO-2022-0209
2019-05-09
Published