201703-02

Incorrect IV generation for encryption

Background

Block ciphers make use of random, unique values in order to initialize the algorithm when there is a feedback from one round to the next. Those values are commonly known as Initialization Vectors or IVs. IVs are public (they are attached to the resulting ciphertext) and therefore they must never be reused, and must be generated by a proper Cryptographically Secure Pseudo Random Number Generator (CSPRNG) in order to be secure.

Description

An issue with IV generation has been discovered in the SimpleSAML\Utils\Crypto::_aesEncrypt() method, where the IV is not generated randomly but based on the first 16 bytes of the SHA256 hash of the secret given as a parameter. This unfortunate bug has two direct implications:

Affected versions

All SimpleSAMLphp versions from 1.14.0 to 1.14.11, both included.

Impact

The issue described here undermines the security of the encryption offered by the SimpleSAML\Utils\Crypto::aesEncrypt() method, and therefore any secrets encrypted with it might be compromised by an attacker with enough knowledge or resources.

Resolution

Upgrade to the latest version.

Credit

This security issue was discovered and reported on March 29th of 2017 by Chris Czub (Duo Security).