[ntp:security] [oCERT-2008-016 draft] OpenSSL incorrect checks for malformed signatures

Andrea Barisani lcars at ocert.org
Tue Dec 16 11:08:51 UTC 2008


Hi,

oCERT has been recently notified about a vulnerability affecting the OpenSSL
library, the issue relates to the incorrect usage of the EVP_VerifyFinal
function.

We have detected that your project is affected by the same issue and
incorrectly checks the return code of EVP_VerifyFinal, this could lead to
malformed signatures being treated as a good one.

Example:

*incorrect*:  if (! EVP_VerifyFinal(a, b, c, d))

*correct*:    if (EVP_VerifyFinal(a, b, c, d) <= 0)

Following is the text of our advisory and recommendations from the OpenSSL
Security Team.

IMPORTANT:
This issue will go public on January 7th 2009 and it is considered embargoed
until then, *please do not publish this information and/or commit public
fixes for this issue until embargo date is reached*.

We would appreciate if you can let us know if you plan to fix the
vulnerability and which future version of your software will ship the fix. We
will be happy to update our advisory with all the relevant release
information once it's published.

Fell free to contact us for any questions.

Thanks!

-------------------------------------------------------------------------------

Recommendations for projects using OpenSSL
------------------------------------------

Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled.  As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.

-------------------------------------------------------------------------------

#2008-016 OpenSSL incorrect checks for malformed signatures

Description:

Several functions inside the OpenSSL library incorrectly check the result after
calling the EVP_VerifyFinal function.

This bug allows a malformed signature to be treated as a good signature rather
than as an error. This issue affects the signature checks on DSA and ECDSA keys
used with SSL/TLS.

The flaw could be exploited by an attacker by being in control of a a malicious
server or performing a man-in-the-middle attack to present a malformed SSL/TLS
signature from a certificate chain to a vulnerable client, bypassing
validation.

Additional recommendations are described in the original OpenSSL Team advisory.

The following patch fixes the issue along with return codes checking fixes that
do not have a security implication: <patch url>

Affected version:

OpenSSL <= 0.9.8i [*]

* - use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected. Verification of client
certificates by OpenSSL servers for any key type is NOT affected.

Fixed version:

OpenSSL >= 0.9.8j

Additional affected packages:

The following packages are affected by the same OpenSSL vulnerability, as they
use OpenSSL EVP_VerifyFinal function and incorrectly check the return code.

NTP <= 4.2.4p5 (production), 4.2.5p150 (development)

Grid Engine <= 5.3

Gale <= 0.99

Pubcookie <= 3.3.3

Belgian eID middleware - eidlib <= 2.6.0 [*]

Freedom Network Server <= 2.x

* - Belgian eID middleware latest versions are not available in source
form, therefore we cannot confirm if they are affected

Credit: The OpenSSL security team would like to thank the Google Security Team
for reporting this issue

CVE: CVE-2008-5077


-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars at ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"


More information about the security mailing list