Skip to main content

Improper Verification of Cryptographic Signature

CVE-2024-32962

Severity High
Score 10/10

Summary

The xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions 4.0.0 through 5.1.1, the default configuration does not check the authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 "xmldsig-core-20080610" spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a '<KeyInfo />' element, and pass 'xml-crypto' default validation checks. As a result 'xml-crypto' trusts by default any certificate provided via digitally signed XML document's '<KeyInfo />'. 'xml-crypto' prefers to use any certificate provided via digitally signed XML document's '<KeyInfo />' even if the library was configured to use specific certificate ('publicCert') for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing the existing signature with a signature generated with a malicious private key (created by the attacker) and by attaching that private key's certificate to '<KeyInfo />' element. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via 'getCertFromKeyInfo' against trusted certificates before accepting the results of the validation or set 'xml-crypto's getCertFromKeyInfo' to '() => undefined' forcing 'xml-crypto' to use an explicitly configured 'publicCert' or 'privateKey' for signature verification.

  • LOW
  • NETWORK
  • HIGH
  • CHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-347 - Improper Verification of Cryptographic Signature

A cryptographic protocol is meant to ensure that services are provided in a secure manner. An application with absent or improper verification of cryptographic signatures allows malicious users to feed false messages to valid users or to disclose sensitive data, subverting the goals of the protocol. This can lead to security failures such as false authentication, account hijacking, and privilege escalation.

Advisory Timeline

  • Published