CVE-2023-36377
📋 TL;DR
A buffer overflow vulnerability in osslsigncode versions 2.3 and earlier allows local attackers to execute arbitrary code by crafting malicious .exe, .sys, or .dll files. This affects systems where osslsigncode processes untrusted files, potentially leading to complete system compromise. The vulnerability requires local access to the system.
💻 Affected Systems
- mtrojnar osslsigncode
📦 What is this software?
Osslsigncode by Osslsigncode Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root/admin privileges, allowing installation of persistent malware, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive files and system resources, potentially enabling further attacks.
If Mitigated
Limited impact with proper file access controls and user privilege restrictions, potentially only affecting isolated user accounts.
🎯 Exploit Status
Exploitation requires crafting malicious executable files and local access to run osslsigncode against them. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.4 and later
Vendor Advisory: https://github.com/mtrojnar/osslsigncode/releases/tag/2.4
Restart Required: No
Instructions:
1. Download osslsigncode v2.4 or later from GitHub releases. 2. Uninstall the vulnerable version. 3. Install the patched version following the project's installation instructions.
🔧 Temporary Workarounds
Restrict file processing
linuxLimit osslsigncode usage to trusted files only through access controls and user permissions.
chmod 750 /usr/local/bin/osslsigncode
setfacl -m u:trusteduser:rx /usr/local/bin/osslsigncode
Run with reduced privileges
linuxExecute osslsigncode with minimal necessary privileges using privilege separation techniques.
sudo -u lowprivuser osslsigncode [options]
🧯 If You Can't Patch
- Remove osslsigncode from systems where it's not essential for operations
- Implement strict file access controls and audit all osslsigncode usage
🔍 How to Verify
Check if Vulnerable:
Check osslsigncode version with 'osslsigncode --version' or 'osslsigncode -v'. If version is 2.3 or earlier, the system is vulnerable.Check Version:
osslsigncode --versionVerify Fix Applied:
After updating, run 'osslsigncode --version' to confirm version is 2.4 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual osslsigncode process execution patterns
- Multiple failed file signing attempts
- Process crashes of osslsigncode
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
Process:osslsigncode AND (EventID:4688 OR syscall:execve) | stats count by host, user🔗 References
- https://github.com/mtrojnar/osslsigncode/compare/2.2...2.3
- https://github.com/mtrojnar/osslsigncode/releases/tag/2.3
- https://lists.debian.org/debian-lts-announce/2023/12/msg00016.html
- https://github.com/mtrojnar/osslsigncode/compare/2.2...2.3
- https://github.com/mtrojnar/osslsigncode/releases/tag/2.3
- https://lists.debian.org/debian-lts-announce/2023/12/msg00016.html
- https://lists.debian.org/debian-lts-announce/2025/12/msg00037.html
