#VU28771 Improper Verification of Cryptographic Signature in p5-Crypt-Perl - CVE-2020-13895

Cybersecurity Help s.r.o.

Published: 2020-06-07

Vulnerability identifier: #VU28771

Vulnerability risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13895

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
p5-Crypt-Perl
Universal components / Libraries / Software for developers

Vendor: Felipe Gasper

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper ECDSA signature verification for the secp256r1 (prime256v1) curve, when r and s are small and when s = 1. A remote attacker can bypass signature verification process for Crypt::Perl::ECDSA and trick the victim into installing malicious code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

p5-Crypt-Perl: 0.11 - 0.033

External links
https://github.com/FGasper/p5-Crypt-Perl/commit/f960ce75502acf7404187231a706672f8369acb2
https://github.com/FGasper/p5-Crypt-Perl/issues/14

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in p5-Crypt-Perl