Vulnerabilities > CVE-2013-2153 - Cryptographic Issues vulnerability in Apache XML Security for C++
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures and spoof arbitrary content via crafted Reference elements in the Signature, aka "XML Signature Bypass issue."
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Misc. NASL id SECURITYCENTER_5_8_0_TNS_2018_15.NASL description According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is 5.7.1 or earlier. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues nor the stand-alone patch but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 119149 published 2018-11-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119149 title Tenable SecurityCenter < 5.8.0 Multiple Vulnerabilities (TNS-2018-15) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(119149); script_version("1.4"); script_cvs_date("Date: 2019/11/01"); script_cve_id( "CVE-2013-2153", "CVE-2013-2154", "CVE-2013-2155", "CVE-2013-2156", "CVE-2013-2210", "CVE-2013-4517", "CVE-2014-0107" ); script_bugtraq_id( 60592, 60594, 60595, 60599, 60817, 64437, 66397 ); script_name(english:"Tenable SecurityCenter < 5.8.0 Multiple Vulnerabilities (TNS-2018-15)"); script_summary(english:"Checks the SecurityCenter version."); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is 5.7.1 or earlier. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues nor the stand-alone patch but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2018-15"); script_set_attribute(attribute:"solution", value: "Upgrade to Tenable SecurityCenter version 5.8.0 or later or apply SecurityCenter Patch 201811.1."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0107"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/07"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/27"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Host/SecurityCenter/Version", "installed_sw/SecurityCenter"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("install_func.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); version = get_kb_item("Host/SecurityCenter/Version"); port = 0; if(empty_or_null(version)) { port = 443; install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE); version = install["version"]; } fix = "5.8.0"; if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { items = make_array( "Installed version", version, "Fixed version", fix ); order = make_list("Installed version", "Fixed version"); report = report_items_str(report_items:items, ordered_fields:order); security_report_v4(severity:SECURITY_HOLE, port:port, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, 'SecurityCenter', version);NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2710.NASL description James Forshaw from Context Information Security discovered several vulnerabilities in xml-security-c, an implementation of the XML Digital Security specification. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-2153 The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content. - CVE-2013-2154 A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code. - CVE-2013-2155 A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input. - CVE-2013-2156 A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. last seen 2020-03-17 modified 2013-06-19 plugin id 66917 published 2013-06-19 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66917 title Debian DSA-2710-1 : xml-security-c - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2710. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(66917); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-2153", "CVE-2013-2154", "CVE-2013-2155", "CVE-2013-2156"); script_bugtraq_id(60592, 60594, 60595, 60599); script_xref(name:"DSA", value:"2710"); script_name(english:"Debian DSA-2710-1 : xml-security-c - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "James Forshaw from Context Information Security discovered several vulnerabilities in xml-security-c, an implementation of the XML Digital Security specification. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-2153 The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content. - CVE-2013-2154 A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code. - CVE-2013-2155 A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input. - CVE-2013-2156 A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2153" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2154" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2155" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2156" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze/xml-security-c" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/xml-security-c" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2013/dsa-2710" ); script_set_attribute( attribute:"solution", value: "Upgrade the xml-security-c packages. For the oldstable distribution (squeeze), these problems have been fixed in version 1.5.1-3+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.6.1-5+deb7u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xml-security-c"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"libxml-security-c-dev", reference:"1.5.1-3+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"libxml-security-c15", reference:"1.5.1-3+squeeze2")) flag++; if (deb_check(release:"7.0", prefix:"libxml-security-c-dev", reference:"1.6.1-5+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libxml-security-c16", reference:"1.6.1-5+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0140.html
- http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
- http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp?r1=1125514&r2=1493959&pathrev=1493959&diff_format=h
- http://www.debian.org/security/2013/dsa-2710
- https://www.tenable.com/security/tns-2018-15
- https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E