Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix EXE/DLL cert verification #727

Merged
merged 3 commits into from
Oct 22, 2022
Merged

Fix EXE/DLL cert verification #727

merged 3 commits into from
Oct 22, 2022

Conversation

micahsnyder
Copy link
Contributor

RSA certificate verification is failing because we accidentally lowered the max size of numbers for floating point multiplication with TomsFastMath when upgrading the vendored library code.

This commit restores the default from 4096 to 8192.

Fixes #604

shutton
shutton approved these changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@shutton shutton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moar bits...

@micahsnyder
Fix EXE/DLL cert verification
07295d3 
RSA certificate verification is failing because we accidentally lowered
the max size of numbers for floating point multiplication with
TomsFastMath when upgrading the vendored library code.

This commit restores the default from 4096 to 8192.
@micahsnyder
Fix certificate trust status tracking
39e9885 
The function `cli_scan_fmap()` is where we check PE authenticode
certificates. But it is only returning CL_CLEAN, CL_VIRUS, or file
types. It should propagate errors as well as CL_VERIFIED, if the
authenticode finds we should trust the file.
@micahsnyder
Update cert trust test after fix, and add new test
e2f7167 
The PE cert test can be enabled now that the cert trust feature is
fixed. In so doing I found an issue with it -- it was also using the
block-certificate signature, which overrides the trust-certificate
signatures. This made me realize that we should also have a test to make
sure the block-cert signatures take predence over the trust-cert sigs.

I fixed the original sig and added this second test case.
@micahsnyder micahsnyder added 🍒cherry-pick-candidate A PR that should be backported once approved. and removed 🍒cherry-pick-candidate A PR that should be backported once approved. labels Oct 21, 2022
@micahsnyder
Copy link
Contributor Author

Backporting this one is too much pain. The recent allmatch fixes work cleaned up so much error handling that made this work reliably. Simply cherrypicking this fix does not cause certificate verification to correctly trust a file. A number of bugs exist causing it to continue scanning instead of aborting. Users will have to upgrade from 0.105 -> 1.0 for cert verification to work.

@micahsnyder micahsnyder merged commit bed65c9 into Cisco-Talos:main Oct 22, 2022
@micahsnyder micahsnyder deleted the CLAM-2015-cert-verify branch October 22, 2022 00:21
@15Cyndaquil 15Cyndaquil mentioned this pull request Mar 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shutton shutton shutton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@micahsnyder @shutton