CVE-2023-39969
📋 TL;DR
CVE-2023-39969 is a critical vulnerability in uthenticode version 1.0.9 where the library incorrectly hashes entire files instead of sections by virtual address, violating the Authenticode specification. This allows attackers to modify executable code within signed binaries without invalidating the digital signature, making malicious modifications appear legitimate. Anyone using uthenticode 1.0.9 for signature verification is affected.
💻 Affected Systems
- uthenticode
📦 What is this software?
Uthenticode by Trailofbits
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious code into signed binaries (like system utilities or security tools) that would pass signature verification, enabling supply chain attacks, malware persistence, or privilege escalation.
Likely Case
Malicious actors could modify legitimate signed executables to include backdoors or other malicious functionality while maintaining apparent signature validity, bypassing security controls that rely on uthenticode for verification.
If Mitigated
If proper controls like full-chain certificate validation and additional integrity checks are in place, the risk is reduced but not eliminated since the signature verification itself is fundamentally flawed.
🎯 Exploit Status
Exploitation requires modifying a signed binary and having it verified by vulnerable uthenticode. The vulnerability is well-documented in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.x (specifically fixed in commit 8670b7bb9154d79c276483dcb7c9e9fd5e66455b)
Vendor Advisory: https://github.com/trailofbits/uthenticode/security/advisories/GHSA-rc7g-99x7-4p9g
Restart Required: No
Instructions:
1. Upgrade uthenticode to version 2.x. 2. Rebuild any applications that link against uthenticode. 3. Test signature verification functionality.
🧯 If You Can't Patch
- Discontinue use of uthenticode 1.0.9 and switch to alternative signature verification methods.
- Implement additional integrity checks beyond uthenticode verification for critical binaries.
🔍 How to Verify
Check if Vulnerable:
Check if uthenticode version 1.0.9 is installed or linked by applications. Review dependency manifests or build configurations.Check Version:
Depends on integration method. For source builds, check package.json or build scripts. For binaries, check version strings or dependency information.Verify Fix Applied:
Verify uthenticode version is 2.x or higher. Test with known modified signed binaries to ensure they fail verification.📡 Detection & Monitoring
Log Indicators:
- Unexpected signature verification successes for modified binaries
- Anomalous process behavior from signed executables
Network Indicators:
- Downloads of suspiciously modified signed binaries
SIEM Query:
Process execution events where signed binaries exhibit unusual behavior or network connections🔗 References
- https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b
- https://github.com/trailofbits/uthenticode/pull/84
- https://github.com/trailofbits/uthenticode/security/advisories/GHSA-rc7g-99x7-4p9g
- https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b
- https://github.com/trailofbits/uthenticode/pull/84
- https://github.com/trailofbits/uthenticode/security/advisories/GHSA-rc7g-99x7-4p9g
