Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
uthenticode EKU validation bypass
Vulnerability Description
uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
缺少必要的密码学步骤
Vulnerability Title
uthenticode 安全漏洞
Vulnerability Description
uthenticode是Trail of Bits开源的一个小型跨平台库。用于部分验证 Authenticode 数字签名。 uthenticode 2.0.0之前版本存在安全漏洞,该漏洞源于未检查证书中的扩展密钥用法,导致攻击者可以绕过EKU验证。
CVSS Information
N/A
Vulnerability Type
N/A