National Vulnerability Database (NVD) National Vulnerability Database (CVE-2009-0789)

National Cyber Awareness System

Vulnerability Summary for CVE-2009-0789

Original release date:03/27/2009

Last revised:10/26/2011

Source: US-CERT/NIST

Overview

OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows disruption of serviceUnknown

Vendor Statements (disclaimer)

Official Statement from Red Hat (03/30/2009)

Not vulnerable. This issue only affects a small number of operating systems and does not affect the openssl packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BID

Name: 34256

Type: Patch Information

Hyperlink:http://www.securityfocus.com/bid/34256

External Source: CONFIRM

Name: https://kb.bluecoat.com/index?page=content&id=SA50

Hyperlink:https://kb.bluecoat.com/index?page=content&id=SA50

External Source: XF

Name: openssl-asn1-structure-dos(49433)

Hyperlink:http://xforce.iss.net/xforce/xfdb/49433

External Source: VUPEN

Name: ADV-2009-1548

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2009/1548

External Source: VUPEN

Name: ADV-2009-1175

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2009/1175

External Source: VUPEN

Name: ADV-2009-1020

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2009/1020

External Source: VUPEN

Name: ADV-2009-0850

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2009/0850

External Source: CONFIRM

Name: http://www.php.net/archive/2009.php#id2009-04-08-1

Hyperlink:http://www.php.net/archive/2009.php#id2009-04-08-1

External Source: OSVDB

Name: 52866

Hyperlink:http://www.osvdb.org/52866

External Source: CONFIRM

Name: http://www.openssl.org/news/secadv_20090325.txt

Type: Advisory

Hyperlink:http://www.openssl.org/news/secadv_20090325.txt

External Source: CONFIRM

Name: http://voodoo-circle.sourceforge.net/sa/sa-20090326-01.html

Hyperlink:http://voodoo-circle.sourceforge.net/sa/sa-20090326-01.html

External Source: CONFIRM

Name: http://support.apple.com/kb/HT3865

Hyperlink:http://support.apple.com/kb/HT3865

External Source: CONFIRM

Name: http://sourceforge.net/project/shownotes.php?release_id=671059&group_id=116847

Hyperlink:http://sourceforge.net/project/shownotes.php?release_id=671059&group_id=116847

External Source: SECTRACK

Name: 1021906

Hyperlink:http://securitytracker.com/id?1021906

External Source: SECUNIA

Name: 42733

Type: Advisory

Hyperlink:http://secunia.com/advisories/42733

External Source: SECUNIA

Name: 42724

Type: Advisory

Hyperlink:http://secunia.com/advisories/42724

External Source: SECUNIA

Name: 36701

Type: Advisory

Hyperlink:http://secunia.com/advisories/36701

External Source: SECUNIA

Name: 35729

Type: Advisory

Hyperlink:http://secunia.com/advisories/35729

External Source: SECUNIA

Name: 35380

Type: Advisory

Hyperlink:http://secunia.com/advisories/35380

External Source: SECUNIA

Name: 35065

Hyperlink:http://secunia.com/advisories/35065

External Source: SECUNIA

Name: 34666

Hyperlink:http://secunia.com/advisories/34666

External Source: SECUNIA

Name: 34460

Type: Advisory

Hyperlink:http://secunia.com/advisories/34460

External Source: SECUNIA

Name: 34411

Type: Advisory

Hyperlink:http://secunia.com/advisories/34411

External Source: HP

Name: SSRT090059

Hyperlink:http://marc.info/?l=bugtraq&m=124464882609472&w=2

External Source: HP

Name: SSRT090059

Hyperlink:http://marc.info/?l=bugtraq&m=124464882609472&w=2

External Source: SUSE

Name: SUSE-SU-2011:0847

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html

External Source: SUSE

Name: openSUSE-SU-2011:0845

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html

External Source: SUSE

Name: SUSE-SR:2009:010

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html

External Source: APPLE

Name: APPLE-SA-2009-09-10-2

Hyperlink:http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html

External Source: NETBSD

Name: NetBSD-SA2009-008

Hyperlink:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc

Vulnerable software and versions

Configuration 1

* cpe:/a:openssl:openssl:0.9.8j and previous versions

* cpe:/a:openssl:openssl:0.9.8i

* cpe:/a:openssl:openssl:0.9.8h

* cpe:/a:openssl:openssl:0.9.8g

* cpe:/a:openssl:openssl:0.9.8f

* cpe:/a:openssl:openssl:0.9.8e

* cpe:/a:openssl:openssl:0.9.8d

* cpe:/a:openssl:openssl:0.9.8c

* cpe:/a:openssl:openssl:0.9.8b

* cpe:/a:openssl:openssl:0.9.8a

* cpe:/a:openssl:openssl:0.9.8

* cpe:/a:openssl:openssl:0.9.7l

* cpe:/a:openssl:openssl:0.9.7m

* cpe:/a:openssl:openssl:0.9.7k

* cpe:/a:openssl:openssl:0.9.7j

* cpe:/a:openssl:openssl:0.9.7i

* cpe:/a:openssl:openssl:0.9.7h

* cpe:/a:openssl:openssl:0.9.7g

* cpe:/a:openssl:openssl:0.9.7f

* cpe:/a:openssl:openssl:0.9.7e

* cpe:/a:openssl:openssl:0.9.7d

* cpe:/a:openssl:openssl:0.9.7c

* cpe:/a:openssl:openssl:0.9.7b

* cpe:/a:openssl:openssl:0.9.7a

* cpe:/a:openssl:openssl:0.9.7:beta6

* cpe:/a:openssl:openssl:0.9.7:beta5

* cpe:/a:openssl:openssl:0.9.7:beta4

* cpe:/a:openssl:openssl:0.9.7:beta3

* cpe:/a:openssl:openssl:0.9.7:beta2

* cpe:/a:openssl:openssl:0.9.7:beta1

* cpe:/a:openssl:openssl:0.9.7

* cpe:/a:openssl:openssl:0.9.6g

* cpe:/a:openssl:openssl:0.9.6f

* cpe:/a:openssl:openssl:0.9.6i

* cpe:/a:openssl:openssl:0.9.6h

* cpe:/a:openssl:openssl:0.9.6e

* cpe:/a:openssl:openssl:0.9.6d

* cpe:/a:openssl:openssl:0.9.6k

* cpe:/a:openssl:openssl:0.9.6j

* cpe:/a:openssl:openssl:0.9.6l

* cpe:/a:openssl:openssl:0.9.6m

* cpe:/a:openssl:openssl:0.9.6c

* cpe:/a:openssl:openssl:0.9.6b

* cpe:/a:openssl:openssl:0.9.6a

* cpe:/a:openssl:openssl:0.9.6a:beta1

* cpe:/a:openssl:openssl:0.9.6a:beta2

* cpe:/a:openssl:openssl:0.9.6a:beta3

* cpe:/a:openssl:openssl:0.9.6

* cpe:/a:openssl:openssl:0.9.6:beta1

* cpe:/a:openssl:openssl:0.9.6:beta2

* cpe:/a:openssl:openssl:0.9.6:beta3

* cpe:/a:openssl:openssl:0.9.5:beta2

* cpe:/a:openssl:openssl:0.9.5a

* cpe:/a:openssl:openssl:0.9.5a:beta1

* cpe:/a:openssl:openssl:0.9.5a:beta2

* cpe:/a:openssl:openssl:0.9.5

* cpe:/a:openssl:openssl:0.9.5:beta1

* cpe:/a:openssl:openssl:0.9.4

* cpe:/a:openssl:openssl:0.9.3

* cpe:/a:openssl:openssl:0.9.3a

* cpe:/a:openssl:openssl:0.9.2b

* cpe:/a:openssl:openssl:0.9.1c

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Numeric Errors (CWE-189)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0789