[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2015-3931 Microsec e-Szigno, CVE-2015-3932 Netlock Mokka XSW vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: CVE-2015-3931 Microsec e-Szigno, CVE-2015-3932 Netlock Mokka XSW vulnerability
- From: Imre RAD <imre.rad@xxxxxxxxxxxxx>
- Date: Fri, 26 Jun 2015 10:15:02 +0200
In November 2014, SEARCH-LAB Ltd. discovered a security vulnerability in
Microsec e-Szigno, and Netlock Mokka computer applications that are used to
generate and validate
digital signatures, which are applied within the official Hungarian government
processes. The vulnerability affected the „e-akta” signed document file format,
where a file with a valid digital signature could be manipulated in a way that
the verification software indicated a valid signature while it displayed a
different document than the original.
The vulnerability details were disclosed to the affected vendors and the fixed
version of the softwares were released in December, 2014.
Affected versions:
Microsec e-Szigno (older than v3.2.7.12): CVE-2015-3931
Netlock Mokka (older than v2.7.8.1204): CVE-2015-3932
The vulnerability is classified as XML Signature Wrapping. It could be
triggered by inserting a new "ds:Object" node with arbitrary document payload
before the original ds:Object.
The two software implementations were independent, they did not share a common
codebase. The reason why both were vulnerable, is not connected to the format
specification either, but two different developers independently made mistakes
in implementing signatures.
References:
https://www.search-lab.hu/about-us/news/107-37-million-digitally-signed-documents-had-to-be-reverified
https://www.search-lab.hu/eakta
http://www.neih.gov.hu/?q=node/66