Executive Summary

Informations
Name CVE-2009-0125 First vendor Publication 2009-01-15
Vendor Cve Last vendor Modification 2024-05-17

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

NOTE: this issue has been disputed by the upstream vendor. nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library (aka libnasl) 2.2.11 does not properly check the return value from the OpenSSL DSA_do_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: the upstream vendor has disputed this issue, stating "while we do misuse this function (this is a bug), it has absolutely no security ramification.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0125

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2009-10-19 Name : Mandrake Security Advisory MDVSA-2009:271 (libnasl)
File : nvt/mdksa_2009_271.nasl
2009-02-02 Name : SuSE Security Summary SUSE-SR:2009:003
File : nvt/suse_sr_2009_003.nasl
2009-01-22 Name : OpenSSL DSA_do_verify() Security Bypass Vulnerability in NASL
File : nvt/secpod_nasl_sec_bypass_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
51164 OpenSSL EVP_VerifyFinal Function DSA / ECDSA Key Validation Weakness

OpenSSL contains a flaw that may allow a malicious user to perform a 'man in the middle' attack. The issue is triggered when several functions within OpenSSL incorrectly check the result of the EVP_VerifyFinal function. It is possible that the flaw may allow a malformed signature to be treated as a good signature instead of an error, resulting in a loss of integrity.

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-0004.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-0020.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2009-0046.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2009-0046.nasl - Type : ACT_GATHER_INFO
2009-07-27 Name : The remote VMware ESX host is missing one or more security-related patches.
File : vmware_VMSA-2009-0004.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_libnasl-090120.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-705-1.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-706-1.nasl - Type : ACT_GATHER_INFO
2009-02-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-0020.nasl - Type : ACT_GATHER_INFO
2009-01-29 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2009-0046.nasl - Type : ACT_GATHER_INFO
2009-01-22 Name : The remote openSUSE host is missing a security update.
File : suse_libnasl-5943.nasl - Type : ACT_GATHER_INFO
2009-01-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1701.nasl - Type : ACT_GATHER_INFO
2009-01-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1702.nasl - Type : ACT_GATHER_INFO
2009-01-09 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-0020.nasl - Type : ACT_GATHER_INFO
2009-01-08 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-0004.nasl - Type : ACT_GATHER_INFO
2009-01-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-0004.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
CONFIRM http://cvs.fedoraproject.org/viewvc/rpms/libnasl/F-10/libnasl.spec?r1=1.16&am...
https://bugzilla.redhat.com/show_bug.cgi?id=479655
MISC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511517
MLIST http://openwall.com/lists/oss-security/2009/01/12/4
SUSE http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html
VIM http://www.attrition.org/pipermail/vim/2009-January/002133.html

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
Date Informations
2024-05-17 09:28:41
  • Multiple Updates
2024-05-14 21:28:28
  • Multiple Updates
2024-04-11 09:28:44
  • Multiple Updates
2024-03-21 09:28:46
  • Multiple Updates
2023-11-07 21:47:46
  • Multiple Updates
2021-05-04 12:09:00
  • Multiple Updates
2021-04-22 01:09:21
  • Multiple Updates
2020-05-23 00:23:12
  • Multiple Updates
2016-04-26 18:33:23
  • Multiple Updates
2014-02-17 10:48:19
  • Multiple Updates
2013-05-10 23:41:54
  • Multiple Updates