OpenSSL accepts forged certificates
A flaw in the widely used OpenSSL SSL/TLS library can be exploited to lead users to believe that a forged certificate signature is valid. The flaw reportedly allows an SSL connection to be compromised, without any warning to OpenSSL-based clients, using a man-in-the-middle attack. This would allow attackers to listen to the communication.
The problem is caused by DSA and ECDSA keys being checked incorrectly. The Digital Signature Algorithm (DSA) is a signature procedure based purely on discrete logarithms. ECDSA is based on elliptic curves. Both of these algorithms can be used as alternatives to the RSA system.
According to the OpenSSL report, the value returned by the EVP_VerifyFinal
function is processed incorrectly by other OpenSSL functions. The advisory from oCERT states that the same applies to the DSA_verify
and DSA_do_verify
functions. Certificates with RSA keys are not affected. The verification of client certificates by OpenSSL servers for any key type is also not affected. All OpenSSL releases prior to 0.9.8j are vulnerable. Version 0.9.8j no longer contains the vulnerability.
According to the oCERT advisory, the flaw also affects the BIND name server, ntp.org's NTP client, and Sun's GridEngine. ISC, the vendor of BIND has already released an update, without which attackers could inject forged name requests even into infrastructures protected by DNSSEC. As a workaround, ISC suggest disabling the DSA and ECDSA algorithms in the configuration.
See also:
- Incorrect checks for malformed signatures, advisory by OpenSSL
- Multiple OpenSSL signature verification API misuse, advisory by oCERT
- BIND Security Vulnerability - EVP_VerifyFinal() and DSA_do_verify() return checks 7Jan2009, report by ISC
(djwm)