CVE-2008-5100 - The strong name (SN) implementation in Microsoft .NET Framework 2.0.50727 relies on the digital sign

CVE-2008-5100

Summary

The strong name (SN) implementation in Microsoft .NET Framework 2.0.50727 relies on the digital signature Public Key Token embedded in the pathname of a DLL file instead of the digital signature of this file itself, which makes it easier for attackers to bypass Global Assembly Cache (GAC) and Code Access Security (CAS) protection mechanisms, aka MSRC ticket MSRC8566gs.

References

Vulnerable Configurations

cpe:2.3:a:microsoft:.net_framework:2.0.50727:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:2.0.50727:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 11-10-2018 - 20:54)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

refmap via4

bugtraq	20081113 New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
misc	http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=ycIS1bewMBI%3d&tabid=161&mid=555
sreason	4605

Last major update

11-10-2018 - 20:54

Published

17-11-2008 - 18:18

Last modified

11-10-2018 - 20:54