CVE-2009-0127

M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515	Third Party Advisory
http://openwall.com/lists/oss-security/2009/01/12/4	Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=479676	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:*

History

07 Nov 2023, 02:03

Type	Values Removed	Values Added
Summary	DISPUTED M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto."	M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.

Information

Published : 2009-01-15 17:30

Updated : 2024-08-07 05:15

NVD link : CVE-2009-0127

Mitre link : CVE-2009-0127

CVE.ORG link : CVE-2009-0127

JSON object : View

Products Affected

heikkitoivonen

m2crypto

CWE

CWE-287

Improper Authentication

{"id": "CVE-2009-0127", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-01-15T17:30:00.577", "references": [{"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://openwall.com/lists/oss-security/2009/01/12/4", "tags": ["Mailing List"], "source": "cve@mitre.org"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=479676", "tags": ["Exploit", "Issue Tracking"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because \"these functions are not used anywhere in m2crypto."}, {"lang": "es", "value": "** CUESTIONADA ** M2Crypto no comprueba adecuadamente el valor de retorno de las funciones OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify y ECDSA_do_verify, lo que permitiria a atacantes remotos evitar la validacion del certificado en cadena a traves de una firma SSL/TLS malformada, una vulnerabilidad similar a CVE-2008-5077. NOTE: Un fabricante de Linux cuestiona la relevancia de este informe en el producto M2Crypto debido a que \"esas funciones no se utilizan en ningun sitio de m2crypto\"."}], "lastModified": "2024-08-07T05:15:27.343", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FDB41E1-9DB5-4F02-AAA3-8CB475EE073F"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Red Hat does not consider this to be a security issue. M2Crypto provides python interfaces to multiple OpenSSL functions. Neither of those interfaces is further used by M2Crypto in an insecure way. Additionally, no application shipped in Red Hat Enterprise Linux is known to use affected interfaces provided by M2Crypto.\n\nFurther details can be found in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127#c1", "lastModified": "2009-01-21T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}