Vulnerability Bulletins |
Salto de verificación de certificados en OpenSSL |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Confidencialidad |
| Dificulty | Experto |
| Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software |
OpenSSL <= 0.98i HP SSL <= v1.3 |
Description |
|
|
Se ha descubierto una vulnerabilidad en OpenSSL 0.9.8i. La vulnerabilidad reside en un error en la comprobación del valor desde la función "EVP_VerifyFinal". Un atacante remoto podría saltar la validación de un certificado mediante una firma SSL/TLS especialmente diseñada para claves DSA y ECDSA. |
|
Solution |
|
|
Actualización de software OpenSSL OpenSSL 0.9.8j / http://www.openssl.org/source/openssl-0.9.8j.tar.gz http://www.openssl.org/source/ Red Hat (RHSA-2008:0547-5) RHEL Desktop Workstation (v. 5 cliente) Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 servidor) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 cliente) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) Red Hat Linux Advanced Workstation 2.1 para Itanium Processor https://rhn.redhat.com/ Debian (DSA-1701-1) Debian Linux 4.0 Source http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch2.dsc http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.diff.gz http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch2.diff.gz http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.dsc alpha (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_alpha.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_alpha.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_alpha.udeb amd64 (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_amd64.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_amd64.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_amd64.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_amd64.deb hppa (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_hppa.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_hppa.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_hppa.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_hppa.deb i386 (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_i386.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_i386.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_i386.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_i386.deb ia64 (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_ia64.udeb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_ia64.deb mips (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mips.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mips.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mips.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mips.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mips.deb mipsel (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mipsel.udeb powerpc (PowerPC) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_powerpc.udeb s390 (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_s390.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_s390.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_s390.udeb sparc (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_sparc.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_sparc.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_sparc.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_sparc.deb Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux. Sun (250826) Solaris 10 / SPARC / patch 139500-03 o posterior Solaris 10 / x86 / patch 139501-02 o posterior OpenSolaris / builds snv_107 o posterior http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage Hewlett-Packard HP-UX B.11.11 / OpenSSL / A.00.09.07m.046 HP-UX B.11.23 / OpenSSL / A.00.09.07m.047 HP-UX B.11.31 / OpenSSL / A.00.09.08j.003 http://www.itrc.hp.com/service/patch/mainPage.do Hewlett-Packard (HPSBMA02426) HP System Management Homepage para Linux (x86) v3.0.1.73 http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-b35b8e125d17427fa8a74e9ef6 HP System Management Homepage para Linux (AMD64/EM64T) v3.0.1.73 http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-d7bcce2dc82d43daaec308eb40 HP System Management Homepage para Windows v3.0.1.73 http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-8300d57bb5424791b0e61652e8 Hewlett-Packard (HPSBOV02540) HP SSL v 1.4 para OpenVMS plataformas Alpha e Integrity http://h71000.www7.hp.com/openvms/products/ssl/ssl.html |
|
Standar resources |
|
| Property | Value |
| CVE | CVE-2008-5077 |
| BID | |
Other resources |
|
|
OpenSSL http://www.openssl.org/news/secadv_20090107.txt Red Hat Security Advisory (RHSA-2009:0004-4) https://rhn.redhat.com/errata/RHSA-2009-0004.html Debian Security Advisory (DSA-1701-1) http://lists.debian.org/debian-security-announce/2009/msg00008.html SUSE Security Advisory (SUSE-SA:2009:006) http://www.novell.com/linux/security/advisories/2009_06_openssl.html Sun Alert Notification (250826) http://sunsolve.sun.com/search/document.do?assetkey=1-66-250826-1 HP SECURITY BULLETIN (HPSBUX02418) http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01706219-1 HP SECURITY BULLETIN (HPSBMA02426) http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01743291-1 HP SECURITY BULLETIN (HPSBOV02540) https://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02227287 |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2009-01-12 |
| 1.1 | Aviso emitido por Debian (DSA-1701-1) | 2009-01-13 |
| 1.2 | Aviso emitido por Suse (SUSE-SA:2009:006) | 2009-01-26 |
| 1.3 | Aviso emitido por Sun (250826) | 2009-02-04 |
| 1.4 | Aviso actualizado por Sun (250826) | 2009-03-20 |
| 1.5 | Aviso emitido por HP (HPSBUX02418) | 2009-04-03 |
| 1.6 | Aviso emitido por HP (HPSBMA02426) | 2009-05-19 |
| 1.7 | Aviso emitido por HP (HPSBOV02540) | 2010-06-17 |