CVE-2023-6057

A vulnerability has been discovered in Bitdefender Total Security HTTPS scanning functionality that results in the improper trust of certificates issued using the DSA signature algorithm. The product does not properly check the certificate chain, allowing an attacker to establish MITM SSL connections to arbitrary sites using a DSA-signed certificate.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.bitdefender.com/support/security-advisories/insecure-trust-of-dsa-signed-certificates-in-bitdefender-total-security-https-scanning-va-11166/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bitdefender:total_security:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-10-18 08:15

Updated : 2024-11-21 17:15

NVD link : CVE-2023-6057

Mitre link : CVE-2023-6057

CVE.ORG link : CVE-2023-6057

JSON object : View

Products Affected

bitdefender

total_security

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2023-6057", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-requests@bitdefender.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.6, "automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "HIGH", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-18T08:15:03.627", "references": [{"url": "https://www.bitdefender.com/support/security-advisories/insecure-trust-of-dsa-signed-certificates-in-bitdefender-total-security-https-scanning-va-11166/", "tags": ["Vendor Advisory"], "source": "cve-requests@bitdefender.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-requests@bitdefender.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in Bitdefender Total Security HTTPS scanning functionality that results in the improper trust of certificates issued using the DSA signature algorithm. The product does not properly check the certificate chain, allowing an attacker to establish MITM SSL connections to arbitrary sites using a DSA-signed certificate."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad en la funci\u00f3n de an\u00e1lisis HTTPS de Bitdefender Total Security que da como resultado la confianza indebida en los certificados emitidos mediante el algoritmo de firma DSA. El producto no comprueba correctamente la cadena de certificados, lo que permite a un atacante establecer conexiones SSL MITM con sitios arbitrarios mediante un certificado firmado por DSA."}], "lastModified": "2024-11-21T17:15:08.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bitdefender:total_security:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F49929DA-5848-4D43-BE46-910C13BEDA93", "versionEndExcluding": "27.0.25.115"}], "operator": "OR"}]}], "sourceIdentifier": "cve-requests@bitdefender.com"}