GoSign Desktop RCE flaws affecting users in Italy

Summary

Pasquale "sid" Fiorillo discovered a critical vulnerability in GoSign Desktop <= 2.4.0 that allows an attacker to execute arbitrary code on the system through insecure updates and a TLS bypass. The exploit leverages the deactivation of TLS certificate verification when a proxy is configured, together with an update mechanism based on unsigned manifests. The vendor, Tinexta InfoCert, initially cooperative, ceased all communication after receiving the technical details, ignoring follow?up requests and releasing version 2.4.1 without any public notice or acknowledgment of the researchers. Due to this opaque behavior, which does not align with responsible disclosure best practices, a forced disclosure was carried out. Multiple Vulnerabilities in GoSign Desktop leads to Remote Code Execution Name TLS Verification Bypass and Insecure Update in GoSign Desktop Systems Affected GoSign Desktop <= 2.4.0 Severity High 8.2/10 Impact CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Vendor https://www.infocert.it/ Advisory https://www.ush.it/team/ush/hack-gosign-desktop_240/gosign-desktop-exec.txt Authors Pasquale "sid" Fiorillo (sid AT ush DOT it) Francesco "ascii" Ongaro (ascii AT ush DOT it) Marco Lunardi Date 20251003 I. BACKGROUND GoSign is an advanced and qualified electronic signature solution developed by Tinexta InfoCert S.p.A., used by public administrations, businesses, and professionals to manage approval workflows with traceability and security. The SaaS/web version of the product has received the "QC2" qualification from the Italian National Cybersecurity Agency (ACN). The QC2 qualification certifies a service's ability to securely handle critical data, including data processed by public administrations. Under ACN's regulation effective from August 1, 2024, cloud service providers for public entities must meet strict security and resilience requirements. This qualification enables public administrations to adopt certified solutions for safeguarding sensitive data and ens...