CVE-2008-5077 — Improper Input Validation in Libcrypt-openssl-dsa-perl

CWE-20 — Improper Input Validation CWE-287 — Improper Authentication CWE-252 — Unchecked Return Value76 documents8 sources

Severity

7.5HIGHNVD

NVD6.8NVD5.8NVD5.0NVD4.3OSV5.8

EPSS

0.2%

top 53.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Berkeley Boinc Client Entrouvert Lasso Gnome Evolution-data-server +24 more

Timeline

PublishedJan 7

Latest updateMay 14

Description

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages32 packages

▶debiandebian/openssl< openssl 0.9.8g-15 (bookworm)

▶debiandebian/libcrypt-openssl-dsa-perl< libcrypt-openssl-dsa-perl 0.13-4 (bookworm)

▶Debianopenssl/openssl< 0.9.8g-15+3

▶Debianperl-openssl/libcrypt-openssl-dsa-perl< 0.13-4+3

▶NVDopenssl/openssl0.9.8h+42

🔴Vulnerability Details

GHSA

GHSA-5fwv-px3v-6qxv: OpenSSL 0↗2022-05-14

▶

GHSA

GHSA-7ccf-7vx8-76vm: Lasso 2↗2022-05-02

▶

GHSA

GHSA-cvwp-gwp2-6xqh: libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions, which might allow remote a↗2022-05-02

▶

GHSA

GHSA-hcwf-6ghh-6m6f: BIND 9↗2022-05-02

▶

GHSA

GHSA-4q4m-qx69-vcgq: NTP 4↗2022-05-02

▶

📋Vendor Advisories

Red Hat

m2crypto: OpenSSL incorrect checks for malformed signatures↗2009-01-11

▶

Red Hat

libnasl: OpenSSL incorrect checks for malformed signatures↗2009-01-11

▶

Red Hat

boinc-client: Does not check the RSA_public_decrypt() return value.↗2009-01-11

▶

Red Hat

perl-Crypt-OpenSSL-DSA: do_verify() doesn't fail on errors in OpenSSL DSA_do_verify()↗2009-01-11

▶

Red Hat

tqsllib: OpenSSL incorrect checks for malformed signatures↗2009-01-11

▶

💬Community

Bugzilla

CVE-2009-0129 perl-Crypt-OpenSSL-DSA: do_verify() doesn't fail on errors in OpenSSL DSA_do_verify()↗2009-02-17

▶

Bugzilla

CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)↗2009-02-10

▶

Bugzilla

CVE-2009-0126 boinc-client: Does not check the RSA_public_decrypt() return value.↗2009-01-12

▶

Bugzilla

CVE-2009-0125 libnasl: OpenSSL incorrect checks for malformed signatures↗2009-01-12

▶

Bugzilla

CVE-2009-0127 m2crypto: OpenSSL incorrect checks for malformed signatures↗2009-01-12

▶