Re: OpenSSL Security Advisory

Wed, 07 Jan 2009 10:51:04 -0800 

On Wed, Jan 07, 2009 at 02:17:09PM +0100, Dr. Stephen Henson wrote:

> Several functions inside OpenSSL incorrectly checked the result after
> calling the EVP_VerifyFinal function, allowing a malformed signature
> to be treated as a good signature rather than as an error.  This issue
> affected the signature checks on DSA and ECDSA keys used with
> SSL/TLS.
> 
> One way to exploit this flaw would be for a remote attacker who is in
> control of a malicious server or who can use a 'man in the middle'
> attack to present a malformed SSL/TLS signature from a certificate chain
> to a vulnerable client, bypassing validation.
> 
> This vulnerability is tracked as CVE-2008-5077.
> 
> The OpenSSL security team would like to thank the Google Security Team
> for reporting this issue.
> 
> Who is affected?
> =================
> 
> Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
> when connecting to a server whose certificate contains a DSA or ECDSA key.
> 
> Use of OpenSSL as an SSL/TLS client when connecting to a server whose
> certificate uses an RSA key is NOT affected.
> 
> Verification of client certificates by OpenSSL servers for any key type
> is NOT affected.

This is not very clear to me. Which signatures are poorly verified:

   1. The server's signature on SSL/TLS protocol messages that must
      be signed under the server's private key (corresponding to the
      private key in its certificate)?

OR

  2.  Certificate Authority (CA) signatures of the server certificate
      or intermediate CA certificates?

OR

  3.  Both or other (please elaborate).

If it is just "1" and limited to DSA or ECDSA server keys, and given
that almost keys "in the wild" are RSA keys (no public CAs are signing
ECDSA certs AFAIK). Is the exposure just in environments where some
private-CA (or non-CA mechanism) supports trust for DSA or ECDSA certs?

If it is "2", then which keys must be DSA or ECDSA the server's or
the CA's? 

It sounds as the though X.509 trust chain validation is not effected,
and the exposure is just with server signatures of protocol messages
(i.e. "1" only), but this is not completely clear at least to me.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to