Vulnerability in PDF signature validation, we advise customers to update their PDF readers
Incident Report for Evidos trust services
Resolved
Summary
Researchers of the Ruhr-Universität Bochum found a vulnerability in electronic signature validation.
Signed documents could be altered without breaking the digital certificate.
Most PDF readers have fixed this vulnerability already. Check your own PDF reader version here:
https://pdf-insecurity.org/signature-shadow/evaluation_2020.html


General Impact
When validating a signed PDF, a validation service checks if the file has been altered after placing the electronic signatures. A vulnerability was found where this validation check comes back as 'valid' even though changes have been made in the PDF after signing.
In order to 'trick' the validation service, such an attack has to be prepared in the unsigned document before it is sent out for signing.
Read more about the issue here: https://news.rub.de/english/press-releases/2020-07-22-it-security-content-signed-pdf-documents-can-be-changed-unnoticed

Impact on Evidos signing service Signhost
Evidos uses the PAdES LTV standard to sign documents electronically. We conform to the standard, but do not provide a validation service to check file integrity after signing. Because we use such a widespread PDF signing standard, our philosophy is that our signed documents can always be validated, even without our company existing. Because we do not provide a validation service, we are not impacted by this vulnerability. As described above, this attack is only possible by 'preparing' a file before it is sent out for signing. Therefore, it is not possible for a signer to alter the document after signing, and our customers, who create and send out their own transactions are not at risk.

Solution
We advise to always use the most recent version of a PDF reader and/or validation service to check digital signature integrity.
When you create and upload the documents for signing yourself, you are not at risk.
When you receive a previously (externally) signed document as a PDF and want to validate the signatures, we advise to use the most recent version of a PDF reader and to apply scrutiny.
We have been advising our customers to validate signed documents if necessary in third party applications such as Adobe. Validation happens automatically on opening a signed PDF file.
WIth an updated PDF reader, these documents will show as containing invalid certificates.
Posted Jul 22, 2020 - 08:00 CEST