digital signatures, which are applied within the official Hungarian government processes. The vulnerability affected the „e-akta” signed document file format, where a file with a valid digital signature could be manipulated in a way that the verification software indicated a valid signature while it displayed a different document than the original.
The vulnerability details were disclosed to the affected vendors and the fixed version of the softwares were released in December, 2014.
Affected versions:
Microsec e-Szigno (older than v3.2.7.12): CVE-2015-3931
Netlock Mokka (older than v2.7.8.1204): CVE-2015-3932
The vulnerability is classified as XML Signature Wrapping. It could be triggered by inserting a new "ds:Object" node with arbitrary document payload before the original ds:Object.
The two software implementations were independent, they did not share a common codebase. The reason why both were vulnerable, is not connected to the format specification either, but two different developers independently made mistakes in implementing signatures.
References:
https://www.search-lab.hu/
https://www.search-lab.hu/
http://www.neih.gov.hu/?q=
Komentarų nėra:
Rašyti komentarą