Vulnerability Description
uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Trailofbits | Uthenticode | < 2.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb942Patch
- https://github.com/trailofbits/uthenticode/pull/78Patch
- https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xVendor Advisory
- https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb942Patch
- https://github.com/trailofbits/uthenticode/pull/78Patch
- https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xVendor Advisory
FAQ
What is CVE-2023-40012?
CVE-2023-40012 is a vulnerability with a CVSS score of 5.9 (MEDIUM). uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates...
How severe is CVE-2023-40012?
CVE-2023-40012 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40012?
Check the references section above for vendor advisories and patch information. Affected products include: Trailofbits Uthenticode.