GoSign Desktop RCE flaws affecting users in Italy (ush.it)

86 points by ascii ↗ HN
GoSign is a desktop client used across Italian public administrations and enterprises for qualified electronic signatures, produced by Tinexta InfoCert, one of Europe’s major eIDAS-regulated trust service providers. Researchers found that versions ≤ 2.4.0 disable TLS certificate verification when a proxy is configured and use an unsigned update manifest. Combined, these flaws allow man-in-the-middle attacks and delivery of malicious updates leading to remote code execution.

8 comments

[ 2.9 ms ] story [ 31.1 ms ] thread
(comment deleted)
(comment deleted)
Paris Cloudflare Error
How is this related with the Cloudflare outage? The bug was present in GoSign Desktop <= 2.4.0, so it seems that it was introduced long time ago.
I'm a bit confused by the privilege escalation part. Doesn't modifying the settings require the same privileges the application has?
I suppose the application runs as root (to update the application files) but reads the user settings (which are writable without root priviledges)