uthenticode EKU validation bypass
CVE-2023-40012

5.9MEDIUM

Key Information:

Vendor

Trailofbits

Status
Uthenticode
Vendor
CVE Published:
9 August 2023

What is CVE-2023-40012?

uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.

Affected Version(s)

uthenticode < 2.0.0

References

https://github.com/trailofbits/uthenticode/security/advis...
x_refsource_CONFIRM
https://github.com/trailofbits/uthenticode/pull/78
x_refsource_MISC
https://github.com/trailofbits/uthenticode/commit/caeb1eb...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.