Nortel Response to OpenSSL 'EVP_VerifyFinal' Function Signature Verification Vulnerability
| Description: |
A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to conduct spoofing attacks. Some Nortel products contain this software as a component and thus are potentially affected. This bulletin provides a multi-product consolidated response for the Nortel products which are potentially affected. The vulnerability is caused due to certain OpenSSL functions not correctly verifying the return value of the "EVP_VerifyFinal()" function when validating the signature of DSA and ECDSA keys. This can be exploited to bypass the signature check, such as by sending a specially crafted signature of a certificate chain to a client. Successful exploitation requires that the server uses a certificate containing a DSA or ECDSA key. Please refer to the vendor link for additional information - http://www.openssl.org/news/secadv_20090107.txt This bulletin addresses the following CVE: - CVE-2008-5077 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077) OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. Before taking any action please ensure that you are viewing the latest official version of this security advisory by referencing http://www.nortel.com/securityadvisories |
| Type: |
All Bulletin Types |
| Number: |
2009009350, Rev 1 |
| Status: |
Active |
| Date: |
2009-02-26 |
|
|
Title |
Extension |
File Size |
Language |
|
