OpenSSL signature verification API misuses

Bug #314776 reported by Till Ulen on 2009-01-07
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Medium
Jamie Strandboge
ntp (Ubuntu)
Medium
Jamie Strandboge
openslp-dfsg (Ubuntu)
Low
Jamie Strandboge
openssl (Ubuntu)
High
Jamie Strandboge

Bug Description

Binary package hint: openssl

Please see the details in the oCERT advisory #2008-016:
http://www.ocert.org/advisories/ocert-2008-016.html

"Several functions inside the OpenSSL library incorrectly check the result after calling the EVP_VerifyFinal function.

This bug allows a malformed signature to be treated as a good signature rather than as an error. This issue affects the signature checks on DSA and ECDSA keys used with SSL/TLS.

The flaw may be exploited by a malicious server or a man-in-the-middle attack that presents a malformed SSL/TLS signature from a certificate chain to a vulnerable client, bypassing validation."

This affects not only OpenSSL, but also Bind, NTP and some other packages.

CVE References

Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug.

Changed in openssl:
assignee: nobody → jdstrand
status: New → Fix Committed
Changed in ntp:
assignee: nobody → jdstrand
status: New → Fix Committed
Changed in bind9:
assignee: nobody → jdstrand
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

openssl (0.9.8g-14ubuntu2) jaunty; urgency=low

  * SECURITY UPDATE: clients treat malformed signatures as good when verifying
    server DSA and ECDSA certificates
    - update apps/speed.c, apps/spkac.c, apps/verify.c, apps/x509.c,
      ssl/s2_clnt.c, ssl/s2_srvr.c, ssl/s3_clnt.c, s3_srvr.c, and
      ssl/ssltest.c to properly check the return code of EVP_VerifyFinal()
    - patch based on upstream patch for #2008-016
    - CVE-2008-5077

Jamie Strandboge (jdstrand) wrote :

OpenSSL issue is fixed in http://www.ubuntu.com/usn/usn-704-1.

Changed in openssl:
status: Fix Committed → Fix Released
Kees Cook (kees) on 2009-01-07
Changed in openslp-dfsg:
assignee: nobody → jdstrand
status: New → Triaged
Changed in bind9:
importance: Undecided → High
Changed in ntp:
importance: Undecided → High
Changed in openslp-dfsg:
importance: Undecided → High
Changed in openssl:
importance: Undecided → High
Changed in bind9:
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

ntp (1:4.2.4p4+dfsg-7ubuntu3) jaunty; urgency=low

  * SECURITY UPDATE: clients treat malformed signatures as good when verifying
    server DSA and ECDSA certificates.
    - debian/patches/CVE-2009-0021.patch: update ntpd/ntp_crypto.c to properly
      check the return code of EVP_VerifyFinal()
    - CVE-2009-0021

Changed in ntp:
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :
Changed in ntp:
importance: High → Medium
Changed in bind9:
importance: High → Medium
Changed in openslp-dfsg:
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

bind9 (1:9.5.0.dfsg.P2-5ubuntu1) jaunty; urgency=low

  * SECURITY UPDATE: clients treat malformed signatures as good when verifying
    server DSA and ECDSA certificates.
    - update lib/dns/openssldsa_link.c to properly check the return code of
      DSA_do_verify()
    - CVE-2009-0025

Changed in bind9:
status: Fix Committed → Fix Released
Changed in openslp-dfsg:
importance: High → Medium
Jamie Strandboge (jdstrand) wrote :

openslp as of 1.2.1-5 (the one shipped in Dapper), doesn't build with --enable-security and in fact Build-Conflicts against libssl-dev (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=337606), so the package would need significant changes to be affected by this bug.

Changed in openslp-dfsg:
importance: Medium → Low
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.