CVE-2018-16150

Published: Nov 7, 2018Modified: Nov 21, 2024

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification does not reject excess data after the hash value. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation through fake X.509 certificates. This is a variant of CVE-2006-4340.

Affected (1)

Products: Axtls Project: Axtls

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Axtls Project Axtls	Up to 2.1.3

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c

Source: cve@mitre.org

PatchThird Party Advisory

https://sourceforge.net/p/axtls/mailman/message/36459928/

Source: cve@mitre.org

Third Party Advisory

https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://sourceforge.net/p/axtls/mailman/message/36459928/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.