Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-97x9-59rv-q5pm: Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC

Impact

When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation document.proof was not factored into the final verified value (true/false) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly "verified": true:

{
  "verified": true,
  "presentation_result": {
    "verified": false,
    "document": {
      "@context": [
        "https://www.w3.org/2018/credentials/v1"
      ],
      "type": [
        "VerifiablePresentation"
      ],
      "verifiableCredential": [
        {
          "@context": [
            "https://www.w3.org/2018/credentials/v1",
            "https://w3id.org/citizenship/v1"
          ],
          "type": [
            "VerifiableCredential",
            "PermanentResident"
          ],
          "issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
          "issuanceDate": "2023-11-18",
          "credentialSubject": {
            "type": [
              "PermanentResident"
            ],
            "id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
            "givenName": "Bob",
            "familyName": "Builder",
            "gender": "Male",
            "birthCountry": "Bahamas",
            "birthDate": "1958-07-17"
          },
          "proof": {
            "type": "Ed25519Signature2018",
            "proofPurpose": "assertionMethod",
            "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
            "created": "2023-11-18T21:39:56.988853+00:00",
            "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
          }
        }
      ],
      "proof": {
        "type": "Ed25519Signature2018",
        "proofPurpose": "authentication",
        "verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
        "created": "2023-11-18T21:39:59.188276+00:00",
        "challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d",
        "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw"
      }
    },
    "results": [
      {
        "verified": false,
        "proof": {
          "@context": [
            "https://www.w3.org/2018/credentials/v1"
          ],
          "type": "Ed25519Signature2018",
          "proofPurpose": "authentication",
          "verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
          "created": "2023-11-18T21:39:59.188276+00:00",
          "challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d",
          "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw"
        },
        "error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969",
        "purpose_result": {
          "valid": false,
          "error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
        }
      }
    ],
    "errors": [
      "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
    ]
  },
  "credential_results": [
    {
      "verified": true,
      "document": {
        "@context": [
          "https://www.w3.org/2018/credentials/v1",
          "https://w3id.org/citizenship/v1"
        ],
        "type": [
          "VerifiableCredential",
          "PermanentResident"
        ],
        "issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
        "issuanceDate": "2023-11-18",
        "credentialSubject": {
          "type": [
            "PermanentResident"
          ],
          "id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
          "givenName": "Bob",
          "familyName": "Builder",
          "gender": "Male",
          "birthCountry": "Bahamas",
          "birthDate": "1958-07-17"
        },
        "proof": {
          "type": "Ed25519Signature2018",
          "proofPurpose": "assertionMethod",
          "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
          "created": "2023-11-18T21:39:56.988853+00:00",
          "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
        }
      },
      "results": [
        {
          "verified": true,
          "proof": {
            "@context": [
              "https://www.w3.org/2018/credentials/v1",
              "https://w3id.org/citizenship/v1"
            ],
            "type": "Ed25519Signature2018",
            "proofPurpose": "assertionMethod",
            "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
            "created": "2023-11-18T21:39:56.988853+00:00",
            "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
          },
          "purpose_result": {
            "valid": true,
            "controller": {
              "@context": "https://w3id.org/security/v2",
              "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
              "assertionMethod": [
                "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1"
              ],
              "authentication": [
                {
                  "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
                  "type": "Ed25519VerificationKey2018",
                  "controller": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
                  "publicKeyBase58": "8dMkWKZxsK7vS8sR4XgS7gWvRawPp5TMYVFvnU2RyXqo"
                }
              ],
              "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
              "https://www.w3.org/ns/did#service": {
                "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#did-communication",
                "type": "did-communication",
                "https://www.w3.org/ns/did#serviceEndpoint": {
                  "id": "http://alice:3000"
                }
              }
            }
          }
        }
      ]
    }
  ],
  "errors": [
    "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
  ]
}

The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.

This vulnerability has been present since the first implementation of support for JSON-LD W3C Verifiable Credential Data Model presentations, in Aries Cloud Agent Python release in 0.7.0.

All ACA-Py Users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability.

Patches

This issue has been patched in version 0.10.5 and fixed in 0.11.0.

Workarounds

There is no workaround other upgrading to a patched/fixed version of ACA-Py.

ghsa
#sql#vulnerability#js#git#perl#auth

When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation document.proof was not factored into the final verified value (true/false) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly "verified": true:

{ "verified": true, "presentation_result": { "verified": false, "document": { "@context": [ “https://www.w3.org/2018/credentials/v1” ], "type": [ “VerifiablePresentation” ], "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", “https://w3id.org/citizenship/v1” ], "type": [ "VerifiableCredential", “PermanentResident” ], "issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd", "issuanceDate": "2023-11-18", "credentialSubject": { "type": [ “PermanentResident” ], "id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C", "givenName": "Bob", "familyName": "Builder", "gender": "Male", "birthCountry": "Bahamas", "birthDate": “1958-07-17” }, "proof": { "type": "Ed25519Signature2018", "proofPurpose": "assertionMethod", "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "created": "2023-11-18T21:39:56.988853+00:00", "jws": “eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0…eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA” } } ], "proof": { "type": "Ed25519Signature2018", "proofPurpose": "authentication", "verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C", "created": "2023-11-18T21:39:59.188276+00:00", "challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d", "jws": “eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0…4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw” } }, "results": [ { "verified": false, "proof": { "@context": [ “https://www.w3.org/2018/credentials/v1” ], "type": "Ed25519Signature2018", "proofPurpose": "authentication", "verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C", "created": "2023-11-18T21:39:59.188276+00:00", "challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d", "jws": “eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0…4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw” }, "error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969", "purpose_result": { "valid": false, "error": “The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969” } } ], "errors": [ “The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969” ] }, "credential_results": [ { "verified": true, "document": { "@context": [ "https://www.w3.org/2018/credentials/v1", “https://w3id.org/citizenship/v1” ], "type": [ "VerifiableCredential", “PermanentResident” ], "issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd", "issuanceDate": "2023-11-18", "credentialSubject": { "type": [ “PermanentResident” ], "id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C", "givenName": "Bob", "familyName": "Builder", "gender": "Male", "birthCountry": "Bahamas", "birthDate": “1958-07-17” }, "proof": { "type": "Ed25519Signature2018", "proofPurpose": "assertionMethod", "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "created": "2023-11-18T21:39:56.988853+00:00", "jws": “eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0…eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA” } }, "results": [ { "verified": true, "proof": { "@context": [ "https://www.w3.org/2018/credentials/v1", “https://w3id.org/citizenship/v1” ], "type": "Ed25519Signature2018", "proofPurpose": "assertionMethod", "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "created": "2023-11-18T21:39:56.988853+00:00", "jws": “eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0…eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA” }, "purpose_result": { "valid": true, "controller": { "@context": "https://w3id.org/security/v2", "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd", "assertionMethod": [ “did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1” ], "authentication": [ { "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "type": "Ed25519VerificationKey2018", "controller": "did:sov:EzcfrVw7Tveho5NjrmDWnd", "publicKeyBase58": “8dMkWKZxsK7vS8sR4XgS7gWvRawPp5TMYVFvnU2RyXqo” } ], "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "https://www.w3.org/ns/did#service": { "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#did-communication", "type": "did-communication", "https://www.w3.org/ns/did#serviceEndpoint": { "id": “http://alice:3000” } } } } } ] } ], "errors": [ “The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969” ] }

The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.

This vulnerability has been present since the first implementation of support for JSON-LD W3C Verifiable Credential Data Model presentations, in Aries Cloud Agent Python release in 0.7.0.

All ACA-Py Users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability.

There is no workaround other upgrading to a patched/fixed version of ACA-Py.

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP