CVE-2015-3931 Microsec e-Szigno, CVE-2015-3932 Netlock Mokka XSW- vulnerability

From: Imre RAD <>
Subject: CVE-2015-3931 Microsec e-Szigno, CVE-2015-3932 Netlock Mokka XSW- vulnerability

In November 2014, SEARCH-LAB Ltd. discovered a security vulnerability in Microsec e-Szigno, and Netlock Mokka computer applications that are used to generate and validate
digital signatures, which are applied within the official Hungarian government processes. The vulnerability affected the \u20ac\u017ee-akta\u20ac signed document file format, where a file with a valid digital signature could be manipulated in a way that the verification software indicated a valid signature while it displayed a different document than the original.

The vulnerability details were disclosed to the affected vendors and the fixed version of the softwares were released in December, 2014. 

Affected versions:
Microsec e-Szigno (older than v3.2.7.12): CVE-2015-3931
Netlock Mokka (older than v2.7.8.1204): CVE-2015-3932

The vulnerability is classified as XML Signature Wrapping. It could be triggered by inserting a new "ds:Object" node with arbitrary document payload before the original ds:Object.

The two software implementations were independent, they did not share a common codebase. The reason why both were vulnerable, is not connected to the format specification either, but two different developers independently made mistakes in implementing signatures.


Copyright © 1995-2019 All rights reserved.