lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <558D0A06.9000501@search-lab.hu>
Date: Fri, 26 Jun 2015 10:15:02 +0200
From: Imre RAD <imre.rad@...rch-lab.hu>
To: bugtraq@...urityfocus.com
Subject: CVE-2015-3931 Microsec e-Szigno, CVE-2015-3932 Netlock Mokka XSW
 vulnerability

In November 2014, SEARCH-LAB Ltd. discovered a security vulnerability in Microsec e-Szigno, and Netlock Mokka computer applications that are used to generate and validate
digital signatures, which are applied within the official Hungarian government processes. The vulnerability affected the „e-akta” signed document file format, where a file with a valid digital signature could be manipulated in a way that the verification software indicated a valid signature while it displayed a different document than the original.

The vulnerability details were disclosed to the affected vendors and the fixed version of the softwares were released in December, 2014. 

Affected versions:
Microsec e-Szigno (older than v3.2.7.12): CVE-2015-3931
Netlock Mokka (older than v2.7.8.1204): CVE-2015-3932

The vulnerability is classified as XML Signature Wrapping. It could be triggered by inserting a new "ds:Object" node with arbitrary document payload before the original ds:Object.

The two software implementations were independent, they did not share a common codebase. The reason why both were vulnerable, is not connected to the format specification either, but two different developers independently made mistakes in implementing signatures.

References:
https://www.search-lab.hu/about-us/news/107-37-million-digitally-signed-documents-had-to-be-reverified
https://www.search-lab.hu/eakta
http://www.neih.gov.hu/?q=node/66

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ