CVE-2018-16253

Published: Nov 7, 2018Modified: Nov 21, 2024

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification does not properly verify the ASN.1 metadata. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation through fake X.509 certificates. This is an even more permissive variant of CVE-2006-4790 and CVE-2014-1568.

Affected (1)

Products: Axtls Project: Axtls

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Axtls Project Axtls	Up to 2.1.3

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c

Source: cve@mitre.org

PatchThird Party Advisory

https://sourceforge.net/p/axtls/mailman/message/36459928/

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://sourceforge.net/p/axtls/mailman/message/36459928/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.