[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2015-3931 Microsec e-Szigno, CVE-2015-3932 Netlock Mokka XSW vulnerability
In November 2014, SEARCH-LAB Ltd. discovered a security vulnerability in Microsec e-Szigno, and Netlock Mokka computer applications that are used to generate and validate
digital signatures, which are applied within the official Hungarian government processes. The vulnerability affected the „e-akta” signed document file format, where a file with a valid digital signature could be manipulated in a way that the verification software indicated a valid signature while it displayed a different document than the original.
The vulnerability details were disclosed to the affected vendors and the fixed version of the softwares were released in December, 2014.
Microsec e-Szigno (older than v184.108.40.206): CVE-2015-3931
Netlock Mokka (older than v220.127.116.114): CVE-2015-3932
The vulnerability is classified as XML Signature Wrapping. It could be triggered by inserting a new "ds:Object" node with arbitrary document payload before the original ds:Object.
The two software implementations were independent, they did not share a common codebase. The reason why both were vulnerable, is not connected to the format specification either, but two different developers independently made mistakes in implementing signatures.