A vulnerability exists in Dream Security (Korea)’s PKI Security product. Remind us to pay attention to the baseline design. 9th Aug 2021

Preface: Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.

Technical background: From a technical point of view, application software is installed on the host and provides functions (listening to data on open ports or sending data to the LAN or the Internet). Protect online data transmission based on compliance. It will deploy PKI technology. If the SSL certificate installed on the host is not verified, it may allow an attacker to deceive trusted entities by interfering with the communication path between the host and the client. The software may connect to a malicious host and think it is a trusted host, or the software may be tricked into accepting spoofed data that appears to be from a trusted host.

Vulnerability details: A vulnerability in PKI Security Solution of Dream Security could allow arbitrary command execution. This vulnerability is due to insufficient validation of the authorization certificate. An attacker could exploit this vulnerability by sending a crafted HTTP request an affected program. A successful exploit could allow the attacker to remotely execute arbitrary code on a target system.

Please refer to the link – https://boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36174

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.