Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-26927, CVE-2026-26928) found in Szafir software.
Analysis Summary
# Vulnerability: Multiple Flaws in Szafir Digital Signature Software
## CVE Details
- **CVE ID:** CVE-2026-26927 (Szafir SDK Web), CVE-2026-26928 (SzafirHost)
- **CVSS Score:** Not specified in source (Estimated: High)
- **CWE:** CWE-348 (Use of Less Trusted Source), CWE-354 (Improper Validation of Integrity Check Value)
## Affected Systems
- **Products:**
- Szafir SDK Web (Browser Plugin)
- SzafirHost (Native Application)
- **Versions:**
- Szafir SDK Web: All versions prior to 0.0.17.4
- SzafirHost: All versions prior to 1.1.0
- **Configurations:** Systems where the user has granted "Remember" permissions for the application execution prompt are at higher risk.
## Vulnerability Description
The Szafir software suite suffers from two interconnected vulnerabilities that allow for remote code execution:
1. **CVE-2026-26927 (Szafir SDK Web):** The browser plugin fails to validate the `document_base_url` parameter. An attacker can craft a malicious website that overrides the HTTP Origin, forcing SzafirHost to launch in the context of an attacker-controlled URL. While a prompt is typically shown to the user, if the user had previously selected the "Remember" option for a similar prompt, the application executes automatically without interaction.
2. **CVE-2026-26928 (SzafirHost):** When SzafirHost is launched, it downloads necessary dynamic libraries. While JAR files are verified against trusted hashes or digital signatures, the application fails to perform integrity or signature checks on dynamic library files (DLL, SO, JNILIB, DYLIB). An attacker can provide a malicious library file that is saved to the local `/temp` folder and executed by the application.
## Exploitation
- **Status:** PoC described; reported via Coordinated Vulnerability Disclosure (CVD).
- **Complexity:** Medium (Requires user to visit a malicious site and potentially click a prompt).
- **Attack Vector:** Network (Web-based).
## Impact
- **Confidentiality:** High (Full system access via arbitrary code execution).
- **Integrity:** High (Malicious files can be written and executed).
- **Availability:** High (Potential for system compromise or ransomware).
## Remediation
### Patches
The vendor, Krajowa Izba Rozliczeniowa, has released updates to address these flaws:
- **Szafir SDK Web:** Update to version **0.0.17.4** or later.
- **SzafirHost:** Update to version **1.1.0** or later.
### Workarounds
- Users should avoid selecting the "Remember" option when prompted by the Szafir SDK Web plugin until the software is updated.
- Carefully inspect the URL displayed in the Szafir application confirmation prompt before clicking "OK."
## Detection
- Identify installations of Szafir software through filesystem audits (checking versions of the SDK and SzafirHost).
- Monitor the user's `/temp` directory for unexpected creation of DLL, SO, or DYLIB files by the SzafirHost process.
- Inspect web proxy logs for suspicious connections from SzafirHost to unknown or external domains.
## References
- **CERT Polska Advisory:** hxxps[://]cert[.]pl/en/posts/2026/04/vulnerabilities-in-szafir-software/
- **CVE-2026-26927:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-26927
- **CVE-2026-26928:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-26928