CERT-In:Indian Computer Emergency Response Team

HOME > VULNERABILITY NOTES

VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2009-03
OpenSSL DSA and ECDSA keys spoofing vulnerability

Original Issue Date:January 09, 2009

Severity Rating: Medium

Systems Affected

OpenSSL 0.9.8i and earlier

Overview

A vulnerability has been reported in OpenSSL 0.9.8i and earlier, which could be exploited by remote attackers to conduct spoofing attacks.

Description

The vulnerability is caused due to incorrect verification of the return value of "EVP_VerifyFinal()" function while validating the signature of DSA and ECDSA keys. This can be exploited by remote attackers to bypass validation of the certificate chain by sending a specially crafted SSL/TLS signature to a client.

Solution

Update to version openSSL 0.9.8j available at
http://www.openssl.org/source/

Vendor Information

OpenSSL
http://www.openssl.org/news/secadv_20090107.txt

References

Secunia
http://secunia.com/advisories/33338/

Open Source Computer Emergency Response Team (oCERT)
http://www.ocert.org/advisories/ocert-2008-016.html

CVE Name
CVE-2008-5077

CWE Name
CWE-287

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer

CERT-In Vulnerability Note CIVN-2009-03 OpenSSL DSA and ECDSA keys spoofing vulnerability

CERT-In Vulnerability Note CIVN-2009-03
OpenSSL DSA and ECDSA keys spoofing vulnerability