CVE-2023-50981

Vulnerability

The ModularSquareRoot function in Crypto++ (cryptopp) through version 8.9.0 contains an infinite loop vulnerability. The function is used in ECP::DecodePoint for parsing elliptic curve public keys. When the prime parameter p is a perfect square of an odd number, the Jacobi symbol Jacobi(n, p) can never equal -1, causing the second while loop to run indefinitely. This occurs because p = m^2 with odd m leads to Jacobi values of only 0 or 1. The affected code path is triggered when processing compressed point encoding (starting with 0x03) in DER public key data [1].

Exploitation

An attacker can craft a malicious DER public key file containing an elliptic curve parameter p that is a square of an odd number, such as 72358384006116823815439217615866351214375729203207450702838342058601772551609 (the square of 268995137513890432434389773128616504853). The attacker must ensure the point is in compressed form (starting with 0x03). Any user or server that attempts to read and parse this DER file using Crypto++ (e.g., in ECDSA verification) will trigger the infinite loop, causing a denial of service [1].

Impact

Successful exploitation results in a denial of service (DoS) due to an infinite loop, consuming CPU resources indefinitely. The attacker does not gain code execution or data access; the impact is limited to availability [1].

Mitigation

The recommended fix is to check whether p is prime at the beginning of ModularSquareRoot and reject non-prime inputs. As of the publication date (2023-12-18), no official patched version has been released. Users should apply the proposed patch from the issue [1] or avoid processing untrusted DER public keys until a fix is available.