7.5
CVE-2023-40012
- EPSS 0.2%
- Veröffentlicht 09.08.2023 16:15:10
- Zuletzt bearbeitet 21.11.2024 08:18:30
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginuthenticode EKU validation bypass
uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Trailofbits ≫ Uthenticode Version < 2.0.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.099 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| security-advisories@github.com | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
|
CWE-325 Missing Cryptographic Step
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb9420644b6db53
https://github.com/trailofbits/uthenticode/pull/78
https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj