## Vulnerability Key Information ### Vulnerability Overview - **Software**: GoSign Desktop - **Version**: 2.4.0 (Windows, Linux, macOS) - **Discovery Date**: November 2025 ### Vulnerability Details #### TLS Certificate Validation Bypass - **Issue**: TLS certificate validation disabled (SSL_VERIFY_NONE) - **Impact**: - Malware installation (Critical) - Credential theft (High) - Privilege escalation (High) #### Insecure Update Mechanism - **Issue**: Update mechanism relies on unsigned manifest files - **Impact**: Remote Code Execution (RCE) ### CVSS Score - **Score**: 8.2 - **Vector**: AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H ### CWE Mapping - **CWE-295**: Improper Certificate Validation - **CWE-347**: Improper Encryption Signature Validation - **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor ### Attack Scenarios 1. **Man-in-the-Middle (MitM)**: Using a proxy and self-signed certificate, attackers can intercept OAuth keys, JWT tokens, etc. 2. **Privilege Escalation**: Local attackers can modify `~/.gosign/dike.conf` to force malicious updates and escalate privileges. ### Remediation - **Fixed Version**: GoSign Desktop 2.4.1 (2025-11-04) - RCE - Fixed - Privilege escalation - Fixed - TLS bypass information leakage - Not fixed ### Disclosure Timeline - **2025-10-03**: Vulnerability discovered - **2025-10-04**: Proof-of-concept developed - **2025-10-07**: Communication initiated with vendor - **2025-11-08**: Confirmed impact on over 1 million users - **2025-11-14**: Public disclosure released