CVE-2024-32962

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-32962
xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification.

10.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000
https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca
https://github.com/node-saml/xml-crypto/pull/301
https://github.com/node-saml/xml-crypto/pull/445
https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v
https://security.netapp.com/advisory/ntap-20240705-0003/
https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation
https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000
https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca
https://github.com/node-saml/xml-crypto/pull/301
https://github.com/node-saml/xml-crypto/pull/445
https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v
https://security.netapp.com/advisory/ntap-20240705-0003/
https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation
Configurations

No configuration.

History

21 Nov 2024, 09:16

Type Values Removed Values Added
References () https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000 - () https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000 -
References () https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca - () https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca -
References () https://github.com/node-saml/xml-crypto/pull/301 - () https://github.com/node-saml/xml-crypto/pull/301 -
References () https://github.com/node-saml/xml-crypto/pull/445 - () https://github.com/node-saml/xml-crypto/pull/445 -
References () https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v - () https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v -
References () https://security.netapp.com/advisory/ntap-20240705-0003/ - () https://security.netapp.com/advisory/ntap-20240705-0003/ -
References () https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation - () https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation -

05 Jul 2024, 16:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240705-0003/ -
Summary
  • (es) xml-crypto es una librería de cifrado y firma digital xml para Node.js. En las versiones afectadas, la configuración predeterminada no verifica la autorización del firmante, solo verifica la validez de la firma según la sección 3.2.2 de la especificación w3 xmldsig-core-20080610. Como tal, sin pasos de validación adicionales, la configuración predeterminada permite a un actor malintencionado volver a firmar un documento XML, colocar el certificado en un elemento `` y pasar las comprobaciones de validación predeterminadas `xml-crypto`. Como resultado, `xml-crypto` confía de forma predeterminada en cualquier certificado proporcionado a través de `` del documento XML firmado digitalmente. `xml-crypto` prefiere usar cualquier certificado proporcionado a través de `` del documento XML firmado digitalmente, incluso si la librería se configuró para usar un certificado específico (`publicCert`) para fines de verificación de firma. Un atacante puede falsificar la verificación de la firma modificando el documento XML y reemplazando la firma existente con una firma generada con una clave privada maliciosa (creada por el atacante) y adjuntando el certificado de esa clave privada al elemento ``. Esta vulnerabilidad es una combinación de cambios introducidos en `4.0.0` en la solicitud de extracción 301/compromiso `c2b83f98` y se ha solucionado en la versión 6.0.0 con la solicitud de extracción 445/compromiso `21201723d`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden verificar el certificado extraído a través de `getCertFromKeyInfo` con certificados confiables antes de aceptar los resultados de la validación o configurar `xml-crypto's getCertFromKeyInfo` en `() =&gt; undefinido`, forzando a `xml-crypto` a usar un método explícito configurar `publicCert` o `privateKey` para la verificación de firma.

02 May 2024, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-02 07:15

Updated : 2024-11-21 09:16

NVD link : CVE-2024-32962

Mitre link : CVE-2024-32962

CVE.ORG link : CVE-2024-32962

JSON object : View

Products Affected

No product.

CWE
CWE-347

Improper Verification of Cryptographic Signature


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024