CVE-2008-5077

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

References

http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html

http://marc.info/?l=bugtraq&m=123859864430555&w=2

http://marc.info/?l=bugtraq&m=124277349419254&w=2

http://marc.info/?l=bugtraq&m=127678688104458&w=2

http://secunia.com/advisories/33338

http://secunia.com/advisories/33394

http://secunia.com/advisories/33436

http://secunia.com/advisories/33557

http://secunia.com/advisories/33673

http://secunia.com/advisories/33765

http://secunia.com/advisories/34211

http://secunia.com/advisories/35074

http://secunia.com/advisories/35108

http://secunia.com/advisories/39005

http://security.gentoo.org/glsa/glsa-200902-02.xml

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.544796

http://sunsolve.sun.com/search/document.do?assetkey=1-66-250826-1

http://support.apple.com/kb/HT3549

http://support.avaya.com/elmodocs2/security/ASA-2009-038.htm

http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=837653

http://voodoo-circle.sourceforge.net/sa/sa-20090123-01.html

http://www.ocert.org/advisories/ocert-2008-016.html

http://www.openssl.org/news/secadv_20090107.txt

http://www.redhat.com/support/errata/RHSA-2009-0004.html

http://www.securityfocus.com/archive/1/499827/100/0/threaded

http://www.securityfocus.com/archive/1/502322/100/0/threaded

http://www.securityfocus.com/bid/33150

http://www.securitytracker.com/id?1021523

http://www.us-cert.gov/cas/techalerts/TA09-133A.html

http://www.vmware.com/security/advisories/VMSA-2009-0004.html

http://www.vupen.com/english/advisories/2009/0040

http://www.vupen.com/english/advisories/2009/0289

http://www.vupen.com/english/advisories/2009/0362

http://www.vupen.com/english/advisories/2009/0558

http://www.vupen.com/english/advisories/2009/0904

http://www.vupen.com/english/advisories/2009/0913

http://www.vupen.com/english/advisories/2009/1297

http://www.vupen.com/english/advisories/2009/1338

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6380

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9155

https://usn.ubuntu.com/704-1/

Details

Source: MITRE

Published: 2009-01-07

Updated: 2018-10-11

Type: CWE-20

Risk Information

CVSS v2

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.3:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.3a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5a:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5a:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta4:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta5:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta6:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 0.9.8h (inclusive)

Tenable Plugins

View all (53 total)

IDNameProductFamilySeverity
127177NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020)NessusNewStart CGSL Local Security Checks
critical
125000EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547)NessusHuawei Local Security Checks
medium
108014Solaris 10 (x86) : 139501-02NessusSolaris Local Security Checks
medium
89112VMware ESX Multiple Vulnerabilities (VMSA-2009-0004) (remote check)NessusMisc.
high
79458OracleVM 2.1 : ntp (OVMSA-2009-0011)NessusOracleVM Local Security Checks
medium
78228F5 Networks BIG-IP : BIND 9 vulnerability (SOL9754)NessusF5 Networks Local Security Checks
medium
78125F5 Networks BIG-IP : BIND 9 vulnerability (SOL11503)NessusF5 Networks Local Security Checks
medium
75802openSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)NessusSuSE Local Security Checks
medium
75453openSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)NessusSuSE Local Security Checks
medium
67793Oracle Linux 4 / 5 : ntp (ELSA-2009-0046)NessusOracle Linux Local Security Checks
medium
67792Oracle Linux 3 / 4 / 5 : bind (ELSA-2009-0020)NessusOracle Linux Local Security Checks
medium
67783Oracle Linux 3 / 4 / 5 : openssl (ELSA-2009-0004)NessusOracle Linux Local Security Checks
medium
60513Scientific Linux Security Update : openssl on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
17762OpenSSL < 0.9.8j Signature SpoofingNessusWeb Servers
medium
57170SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7645)NessusSuSE Local Security Checks
medium
55715SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7644)NessusSuSE Local Security Checks
medium
55711SuSE 11.1 Security Update : compat-openssl097g (SAT Patch Number 4913)NessusSuSE Local Security Checks
medium
54870Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2009-014-02)NessusSlackware Local Security Checks
medium
43728CentOS 4 / 5 : ntp (CESA-2009:0046)NessusCentOS Local Security Checks
medium
41570SuSE 10 Security Update : openssl (ZYPP Patch Number 5949)NessusSuSE Local Security Checks
medium
41490SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 5957)NessusSuSE Local Security Checks
medium
41271SuSE9 Security Update : openssl (YOU Patch Number 12341)NessusSuSE Local Security Checks
medium
40389VMSA-2009-0004 : ESX Service Console updates for openssl, bind, and vimNessusVMware ESX Local Security Checks
high
40259openSUSE Security Update : libopenssl-devel (libopenssl-devel-461)NessusSuSE Local Security Checks
medium
40203openSUSE Security Update : compat-openssl097g (compat-openssl097g-480)NessusSuSE Local Security Checks
medium
40032openSUSE Security Update : libopenssl-devel (libopenssl-devel-461)NessusSuSE Local Security Checks
medium
39937openSUSE Security Update : compat-openssl097g (compat-openssl097g-480)NessusSuSE Local Security Checks
medium
38832HP System Management Homepage < 3.0.1.73 Multiple FlawsNessusCGI abuses
medium
38744Mac OS X 10.5.x < 10.5.7 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
38743Mac OS X Multiple Vulnerabilities (Security Update 2009-002)NessusMacOS X Local Security Checks
critical
38118Solaris 10 (sparc) : 139500-04NessusSolaris Local Security Checks
medium
37876Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : ntp vulnerability (USN-705-1)NessusUbuntu Local Security Checks
medium
37839Mandriva Linux Security Advisory : openssl (MDVSA-2009:001)NessusMandriva Local Security Checks
medium
36555Solaris 10 (x86) : 139501-02NessusSolaris Local Security Checks
medium
36382Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : openssl vulnerability (USN-704-1)NessusUbuntu Local Security Checks
medium
36344Fedora 10 : openssl-0.9.8g-12.fc10 (2009-0331)NessusFedora Local Security Checks
medium
36220Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : bind9 vulnerability (USN-706-1)NessusUbuntu Local Security Checks
medium
36093GLSA-200904-05 : ntp: Certificate validation errorNessusGentoo Local Security Checks
medium
35673GLSA-200902-02 : OpenSSL: Certificate validation errorNessusGentoo Local Security Checks
medium
35589CentOS 3 / 4 / 5 : bind (CESA-2009:0020)NessusCentOS Local Security Checks
medium
35551RHEL 4 / 5 : ntp (RHSA-2009:0046)NessusRed Hat Local Security Checks
medium
35471openSUSE 10 Security Update : compat-openssl097g (compat-openssl097g-5964)NessusSuSE Local Security Checks
medium
35459openSUSE 10 Security Update : libopenssl-devel (libopenssl-devel-5951)NessusSuSE Local Security Checks
medium
35397Fedora 9 : openssl-0.9.8g-9.12.fc9 (2009-0325)NessusFedora Local Security Checks
medium
35377Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : ntp (SSA:2009-014-03)NessusSlackware Local Security Checks
medium
35376Slackware 11.0 / 12.0 / 12.1 / 12.2 / current : openssl (SSA:2009-014-01)NessusSlackware Local Security Checks
medium
35365Debian DSA-1702-1 : ntp - interpretation conflictNessusDebian Local Security Checks
medium
35364Debian DSA-1701-1 : openssl, openssl097 - interpretation conflictNessusDebian Local Security Checks
medium
35324RHEL 2.1 / 3 / 4 / 5 : bind (RHSA-2009:0020)NessusRed Hat Local Security Checks
medium
35316RHEL 2.1 / 3 / 4 / 5 : openssl (RHSA-2009:0004)NessusRed Hat Local Security Checks
medium
35310CentOS 3 / 4 / 5 : openssl (CESA-2009:0004)NessusCentOS Local Security Checks
medium
5023Mac OS X 10.5 < 10.5.7 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
800792Mac OS X 10.5 < 10.5.7 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high