Weak Authenticode image hash algorithm
ID PE171 Level ERROR Category Security
Description
Authenticode image hash algorithm is too weak. This may allow an attacker to modify the executable while keeping the signature valid.
If the goal is to support older operating systems which do not handle stronger hashes (like Windows XP, which supports MD5 and SHA1 only), use dual-signing with the /as SignTool option. First sign with a weaker algorithm, and then with a stronger one. Example:
signtool.exe sign /f cert_file.pfx /fd sha1 /t http://timestamp.comodoca.com/authenticode /p cert_password
signtool.exe sign /f cert_file.pfx /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /p cert_password
Mitigation
- Use stronger hash algorithm when signing the image.
MD5andSHA1algorithms are no longer considered safe. UseSHA256,SHA384orSHA512. - When signing the image using
signtool, pass the/fdoption with the strong hash name (e.g./fd SHA256). See thesigntooldescription page for more details.
Arguments
This rule has the following output arguments:
-
signature_info- Readable affected signature name (e.g. "root signature", "timestamp root signature", "nested signature (index 1)") -
hash_algorithm- Weak hash algorithm used in the signature (e.g.MD5,SHA1)
Loading...
Unable to load this documentation page.