GSD-2023-40012
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-40012",
"id": "GSD-2023-40012"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-40012"
],
"details": "uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a \"signed\" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn\u0027t entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.",
"id": "GSD-2023-40012",
"modified": "2023-12-13T01:20:44.097590Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-40012",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uthenticode",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c 2.0.0"
}
]
}
}
]
},
"vendor_name": "trailofbits"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a \"signed\" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn\u0027t entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-325",
"lang": "eng",
"value": "CWE-325: Missing Cryptographic Step"
}
]
},
{
"description": [
{
"cweId": "CWE-347",
"lang": "eng",
"value": "CWE-347: Improper Verification of Cryptographic Signature"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj",
"refsource": "MISC",
"url": "https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj"
},
{
"name": "https://github.com/trailofbits/uthenticode/pull/78",
"refsource": "MISC",
"url": "https://github.com/trailofbits/uthenticode/pull/78"
},
{
"name": "https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb9420644b6db53",
"refsource": "MISC",
"url": "https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb9420644b6db53"
}
]
},
"source": {
"advisory": "GHSA-gm2f-j4rj-6xqj",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:trailofbits:uthenticode:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-40012"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a \"signed\" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn\u0027t entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
},
{
"lang": "en",
"value": "CWE-325"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb9420644b6db53",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb9420644b6db53"
},
{
"name": "https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj"
},
{
"name": "https://github.com/trailofbits/uthenticode/pull/78",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/trailofbits/uthenticode/pull/78"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-08-16T17:40Z",
"publishedDate": "2023-08-09T16:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…