CVE-2023-40012
MEDIUMTrailofbits Uthenticode < 2.0.0 - Signature Verification Bypass
Title source: ruleDescription
uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj-6xqj
Patch x_refsource_misc
https://github.com/trailofbits/uthenticode/pull/78
Scores
CVSS v3
5.9
EPSS
0.0005
EPSS Percentile
16.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-325
CWE-347
Status
published
Products (1)
trailofbits/uthenticode
< 2.0.0
Published
Aug 09, 2023
Tracked Since
Feb 18, 2026