NVD Vulnerability Detail

CVE-2018-16150

Summary	In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification does not reject excess data after the hash value. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation through fake X.509 certificates. This is a variant of CVE-2006-4340.
Publication Date	Nov. 8, 2018, 5:29 a.m.
Registration Date	March 1, 2021, 7:02 p.m.
Last Update	Nov. 21, 2024, 12:52 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:axtls_project:axtls::::::::			2.1.3

Related information, measures and tools

No	URL	タグ
1	https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c	Patch Third Party Advisory
2	https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c	Patch Third Party Advisory
3	https://sourceforge.net/p/axtls/mailman/message/36459928/	Third Party Advisory
4	https://sourceforge.net/p/axtls/mailman/message/36459928/	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-347	デジタル署名の不適切な検証	https://cwe.mitre.org/data/definitions/347.html

JVN Vulnerability Information

axTLS におけるデジタル署名の検証に関する脆弱性

Title	axTLS におけるデジタル署名の検証に関する脆弱性
Summary	axTLS には、デジタル署名の検証に関する脆弱性が存在します。本脆弱性は、CVE-2006-4340 と関連する脆弱性です。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 5, 2018, midnight
Registration Date	Jan. 24, 2019, 5:04 p.m.
Last Update	Jan. 24, 2019, 5:04 p.m.

Affected System

Cameron Rich

axTLS 2.1.3 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-16150	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16150
2	CVE-2018-16150	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16150
National Vulnerability Database (NVD)
3	CVE-2018-16150	https://nvd.nist.gov/vuln/detail/CVE-2018-16150
4	CVE-2018-16150	https://nvd.nist.gov/vuln/detail/CVE-2018-16150

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-347	https://cwe.mitre.org/data/definitions/347.html
2	CWE-347	https://cwe.mitre.org/data/definitions/347.html

ベンダー情報

No	Name	URL
SourceForge
1	Re: [axtls-general] Problems of PKCS#1 v1.5 RSA Signature Verification	https://sourceforge.net/p/axtls/mailman/message/36459928/
2	Re: [axtls-general] Problems of PKCS#1 v1.5 RSA Signature Verification	https://sourceforge.net/p/axtls/mailman/message/36459928/

その他

No	Name	URL
関連文書
1	Apply CVE fixes for X509 parsing	https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c
2	Apply CVE fixes for X509 parsing	https://github.com/igrr/axtls-8266/commit/5efe2947ab45e81d84b5f707c51d1c64be52f36c

Change Log

No	Changed Details	Date of change
1	[2019年01月24日] 掲載	Jan. 24, 2019, 5:04 p.m.