CVE-2023-40012

Name of the Vulnerable Software and Affected Versions uthenticode versions prior to 2.x

Description The issue concerns uthenticode, a library for partially verifying Authenticode digital signatures. It does not check Extended Key Usages in certificates, which is against the Authenticode X.509 certificate profile. This allows a malicious user to create a "signed" PE file that uthenticode would verify as valid, using an X.509 certificate not meant for code signatures, such as a SSL certificate. The library does not perform full-chain validation by design, but the lack of EKU validation was an oversight. The 2.0.0 release series includes EKU checks.

Recommendations For versions prior to 2.x, update to the 2.0.0 release series or later to include EKU checks. At the moment, there is no information about other workarounds for this issue.