CVE-2009-0127

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto."

References

http://openwall.com/lists/oss-security/2009/01/12/4

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515

https://bugzilla.redhat.com/show_bug.cgi?id=479676

Details

Source: MITRE

Published: 2009-01-15

Updated: 2021-06-07

Type: CWE-287

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:*

Tenable Plugins

View all (17 total)

IDNameProductFamilySeverity
108014Solaris 10 (x86) : 139501-02NessusSolaris Local Security Checks
medium
67793Oracle Linux 4 / 5 : ntp (ELSA-2009-0046)NessusOracle Linux Local Security Checks
medium
67792Oracle Linux 3 / 4 / 5 : bind (ELSA-2009-0020)NessusOracle Linux Local Security Checks
medium
67783Oracle Linux 3 / 4 / 5 : openssl (ELSA-2009-0004)NessusOracle Linux Local Security Checks
medium
43728CentOS 4 / 5 : ntp (CESA-2009:0046)NessusCentOS Local Security Checks
medium
40389VMSA-2009-0004 : ESX Service Console updates for openssl, bind, and vimNessusVMware ESX Local Security Checks
high
38118Solaris 10 (sparc) : 139500-04NessusSolaris Local Security Checks
medium
37876Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : ntp vulnerability (USN-705-1)NessusUbuntu Local Security Checks
medium
36555Solaris 10 (x86) : 139501-02NessusSolaris Local Security Checks
medium
36220Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : bind9 vulnerability (USN-706-1)NessusUbuntu Local Security Checks
medium
35589CentOS 3 / 4 / 5 : bind (CESA-2009:0020)NessusCentOS Local Security Checks
medium
35551RHEL 4 / 5 : ntp (RHSA-2009:0046)NessusRed Hat Local Security Checks
medium
35365Debian DSA-1702-1 : ntp - interpretation conflictNessusDebian Local Security Checks
medium
35364Debian DSA-1701-1 : openssl, openssl097 - interpretation conflictNessusDebian Local Security Checks
medium
35324RHEL 2.1 / 3 / 4 / 5 : bind (RHSA-2009:0020)NessusRed Hat Local Security Checks
medium
35316RHEL 2.1 / 3 / 4 / 5 : openssl (RHSA-2009:0004)NessusRed Hat Local Security Checks
medium
35310CentOS 3 / 4 / 5 : openssl (CESA-2009:0004)NessusCentOS Local Security Checks
medium