Ethical Hacking News
Multiple vulnerabilities in GoSign Desktop have been identified, leading to remote code execution. The vendor's handling of responsible disclosure raises concerns about the software's security and integrity. Stay informed about the latest cybersecurity threats and solutions with our newsletter.
GoSign Desktop has multiple vulnerabilities that can lead to remote code execution. The software disables TLS certificate validation when configured with a proxy server, making users vulnerable to MitM attacks. Two primary vulnerabilities have been identified: TLS verification bypass and insecure update mechanisms. The insecure update mechanism relies on an unsigned manifest, allowing attackers to execute remote code.
GoSign Desktop, a widely used electronic signature solution developed by Tinexta InfoCert S.p.A., has been identified as having multiple vulnerabilities that can lead to remote code execution. The software, which is utilized by public administrations, businesses, and professionals for managing approval workflows with traceability and security, has received the "QC2" qualification from the Italian National Cybersecurity Agency (ACN) due to its ability to securely handle critical data.
However, recent research has revealed that GoSign Desktop's SaaS/web version disables TLS certificate validation when configured to use a proxy server, rendering users vulnerable to MitM attacks. Furthermore, the update mechanism relies on an unsigned manifest, which means all security depends on TLS and is not validated. This combination of vulnerabilities presents a significant threat to cybersecurity.
Researchers have identified two primary vulnerabilities in GoSign Desktop: TLS verification bypass and insecure update mechanisms. The former vulnerability, specifically related to libdgsapi.so and libcurl.so, disables TLS certificate validation by invoking SSL_CTX_set_verify(mode=SSL_VERIFY_NONE). This allows attackers to intercept sensitive data, including OAuth secrets, JWT tokens, and refresh tokens.
The insecure update mechanism relies on an unsigned manifest containing the update package URL and hash. A malicious attacker can modify this manifest, replace the package, or provide a matching SHA-256 hash, resulting in remote code execution. This vulnerability poses a significant threat to users, as it enables attackers to gain full system compromise.
The issue was reported to ACN/CSIRT Italia due to its severity, and researchers have shared technical details and evidence with the vendor. However, InfoCert Cyber Security Operation has acknowledged the report but has not provided any updates or fixes for the vulnerability. In fact, after the initial contact, the vendor ceased all communication and failed to honor requests for a changelog acknowledgment.
The absence of a responsible disclosure process by the vendor raises concerns about the security and integrity of GoSign Desktop. As a result, researchers have submitted a report to ACN/CSIRT Italia regarding mishandling of the disclosure process.
In light of these findings, it is essential for users to exercise caution when utilizing GoSign Desktop. The latest version, 2.4.1, has been released without any communication or changelog from the vendor, raising further questions about the software's security and stability.
In conclusion, multiple vulnerabilities in GoSign Desktop have been identified, leading to remote code execution. The vendor's handling of responsible disclosure raises concerns about the software's security and integrity. As a result, users should take necessary precautions when using this electronic signature solution, and researchers should continue to monitor the situation for any further updates or fixes.
Related Information:
https://www.ethicalhackingnews.com/articles/Multiple-Vulnerabilities-in-GoSign-Desktop-Lead-to-Remote-Code-Execution-A-Critical-Threat-to-Cybersecurity-ehn.shtml
https://securityaffairs.com/184672/hacking/multiple-vulnerabilities-in-gosign-desktop-lead-to-remote-code-execution.html
https://www.ush.it/2025/11/
Published: Sat Nov 15 16:33:18 2025 by llama3.2 3B Q4_K_M
