Vigil@nce: OpenSSL, several vulnerabilities
April 2009 by Vigil@nce
Three OpenSSL vulnerabilities can be used by an attacker to create
a denial of service or to bypass validations.
– Severity: 2/4
– Consequences: data flow, denial of service of service
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 3
– Creation date: 26/03/2009
IMPACTED PRODUCTS
– OpenSSL
DESCRIPTION OF THE VULNERABILITY
Three OpenSSL vulnerabilities can be used by an attacker to create
a denial of service or to bypass validations.
When the size of an ASN.1 string is invalid, an error occurs in
the ASN1_STRING_print_ex() function and stops the application.
[grav:2/4; CVE-2009-0590]
When attributes of a signature are malformed, the CMS_verify()
function indicates that the signature is valid. [grav:2/4;
CVE-2009-0591]
On some platforms (such as Win64), when a memory containing ASN.1
data is reset, an error occurs and stops the application.
[grav:1/4; CVE-2009-0789]
CHARACTERISTICS
– Identifiers: BID-34256, CVE-2009-0590, CVE-2009-0591,
CVE-2009-0789, secadv_20090325, VIGILANCE-VUL-8563
– Url: http://vigilance.fr/vulnerability/OpenSSL-several-vulnerabilities-8563