SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks
SecurityTracker Alert ID:  1021523
SecurityTracker URL:  http://securitytracker.com/id/1021523
CVE Reference:   CVE-2008-5077   (Links to External Site)
Date:  Jan 7 2009
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.9.8j
Description:   A vulnerability was reported in OpenSSL. A remote user can bypass digital signature validation.

The software does not properly check the results of the EVP_VerifyFinal() function. As a result, a remote server can supply a specially crafted invalid signature on a certificate that will be detected as a valid certificate. Signature checks on DSA and ECDSA keys used with SSL/TLS are affected.

Clients that connect to servers using RSA keys are not affected.

Client certificate validation is not affected.

The Google Security Team reported this vulnerability.

Impact:   A remote user can bypass certificate validation.
Solution:   The vendor has issued a fix (0.9.8j).

A patch for 0.9.8 is also available in the vendor's advisory.

The vendor's advisory is available at:

http://www.openssl.org/news/secadv_20090107.txt

Vendor URL:  www.openssl.org/news/secadv_20090107.txt (Links to External Site)
Cause:   Authentication error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 7 2009 (Red Hat Issues Fix) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, 4, and 5.
Jan 7 2009 (FreeBSD Issues Fix) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks   (FreeBSD Security Advisories <security-advisories@freebsd.org>)
FreeBSD has released a fix.
Jan 9 2009 (OpenBSD Issues Fix) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks
OpenBSD has issued a fix for OpenBSD 4.3 and 4.4.
Jan 30 2009 (Sun Issues Fix) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks
Sun has issued a fix for Solaris 10 and OpenSolaris.
Apr 1 2009 (VMware Issues Fix for ESX Server) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks   (VMware Security Announcements <security-announce@lists.vmware.com>)
VMware has issued a fix for VMware ESX Server.
Apr 1 2009 (HP Issues Fix for HP-UX) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks
HP has issued a fix for HP-UX.
May 15 2009 (HP Issues Fix for HP System Management Homepage) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks
HP has issued a fix for HP System Management Homepage (SMH) for Linux and Windows.
Jun 17 2010 (HP Issues Fix for OpenVMS) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks
HP has issued a fix for OpenVMS.
Sep 26 2012 (Oracle Issues Fix for Sun SPARC Enterprise M-Series) OpenSSL Signature Validation Flaw Lets Remote Users Bypass Validation Checks
Oracle issues fix for Sun SPARC Enterprise M-Series servers.



 Source Message Contents

Date:  Wed, 7 Jan 2009 07:52:16 -0500
Subject:  OpenSSL


http://www.openssl.org/news/secadv_20090107.txt

CVE-2008-5077
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC