In November 2014, SEARCH-LAB Ltd. discovered a security vulnerability in Microsec e-Szigno, and Netlock Mokka computer applications that are used to generate and validate
digital signatures, which are applied within the official Hungarian government processes. The vulnerability affected the â??e-aktaâ? signed document file format, where a file with a valid digital signature could be manipulated in a way that the verification software indicated a valid signature while it displayed a different document than the original.
The vulnerability details were disclosed to the affected vendors and the fixed version of the softwares were released in December, 2014.
Affected versions:
Microsec e-Szigno (older than v3.2.7.12): CVE-2015-3931
Netlock Mokka (older than v2.7.8.1204): CVE-2015-3932
The vulnerability is classified as XML Signature Wrapping. It could be triggered by inserting a new "ds:Object" node with arbitrary document payload before the original ds:Object.
The two software implementations were independent, they did not share a common codebase. The reason why both were vulnerable, is not connected to the format specification either, but two different developers independently made mistakes in implementing signatures.
digital signatures, which are applied within the official Hungarian government processes. The vulnerability affected the â??e-aktaâ? signed document file format, where a file with a valid digital signature could be manipulated in a way that the verification software indicated a valid signature while it displayed a different document than the original.
The vulnerability details were disclosed to the affected vendors and the fixed version of the softwares were released in December, 2014.
Affected versions:
Microsec e-Szigno (older than v3.2.7.12): CVE-2015-3931
Netlock Mokka (older than v2.7.8.1204): CVE-2015-3932
The vulnerability is classified as XML Signature Wrapping. It could be triggered by inserting a new "ds:Object" node with arbitrary document payload before the original ds:Object.
The two software implementations were independent, they did not share a common codebase. The reason why both were vulnerable, is not connected to the format specification either, but two different developers independently made mistakes in implementing signatures.
References:
https://www.search-lab.hu/about-us/news/107-37-million-digitally-signed-
documents-had-to-be-reverified
https://www.search-lab.hu/eakta
http://www.neih.gov.hu/?q=node/66
[ reply ]