CVE-2023-40012

uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:trailofbits:uthenticode:*:*:*:*:*:*:*:*

History

16 Aug 2023, 17:40

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Trailofbits
Trailofbits uthenticode
CPE cpe:2.3:a:trailofbits:uthenticode:*:*:*:*:*:*:*:*
References (MISC) https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb9420644b6db53 - (MISC) https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb9420644b6db53 - Patch
References (MISC) https://github.com/trailofbits/uthenticode/pull/78 - (MISC) https://github.com/trailofbits/uthenticode/pull/78 - Patch
References (MISC) https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj - (MISC) https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj - Vendor Advisory

09 Aug 2023, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-09 16:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-40012

Mitre link : CVE-2023-40012

CVE.ORG link : CVE-2023-40012


JSON object : View

Products Affected

trailofbits

  • uthenticode
CWE
CWE-325

Missing Cryptographic Step

CWE-347

Improper Verification of Cryptographic Signature