Vulnerabilidad: OpenCA crypto-utils.lib libCheckSignature Function Signature Validation Weakness Reporte: http://www.exploitsearch.net/index.php?q=943+BID Descripcion: Nessus [14715] http://www.nessus.org/plugins/index.php?

view=single&id=14715 OpenCA crypto-utils.lib libCheckSignature Function Signature Validation Weakness The remote host seems to be running an older version of OpenCA. It is reported that OpenCA versions up to and incluing 0.9.1.6 contains a flaw that may lead an attacker to bypass signature verification of a certificate. CVSS Score = AV:N/AC:L/Au:N/C:P/I:P/A:P References
y y y

BID 9435 - [Search] CVE-2004-0004 - [Search] OSVDB 3615 - [Search]

Tools
y

Nessus 14715 - [Search]

Initial Date Seen [2011-03-17 00:00:00] Last Date Updated [2011-03-17 00:00:00]

Resumen: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0004

National Cyber-Alert System

Vulnerability Summary for CVE-2004-0004
Original release date:02/17/2004 Last revised:09/05/2008 Source: US-CERT/NIST

Overview
The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users.

Impact
CVSS Severity (version 2.0 incomplete approximation): CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type:Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov. US-CERT Vulnerability Note: VU#336446 Name: VU#336446 Hyperlink:http://www.kb.cert.org/vuls/id/336446 External Source: BID Name: 9435 Type: Advisory; Patch Information Hyperlink:http://www.securityfocus.com/bid/9435 External Source: CONFIRM

Name: http://www.openca.org/news/CAN-2004-0004.txt Type: Advisory; Patch Information Hyperlink:http://www.openca.org/news/CAN-2004-0004.txt External Source: XF Name: openca-improper-signature-verification(14847) Hyperlink:http://xforce.iss.net/xforce/xfdb/14847 External Source: OSVDB Name: 3615 Hyperlink:http://www.osvdb.org/3615 External Source: BUGTRAQ Name: 20040116 [OpenCA Advisory] Vulnerability in signature verification Hyperlink:http://marc.theaimsgroup.com/?l=bugtraq&m=107427313700554&w=2

Vulnerable software and versions

Configuration 1 OR
* cpe:/a:openca:openca:0.9.1.6 and previous versions * Denotes Vulnerable Software * Changes related to vulnerability configurations

Technical Details
Vulnerability Type (View All) CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE2004-0004

Correcion p: http://www.openca.info/legacy/CAN-2004-0004.txt
OpenCA Security Advisory [16 January 2004] Vulnerability in signature validation ===================================== A flaw in OpenCA before version 0.9.1.7 could cause OpenCA to accept a signature from a certificate if the certificate's chain is trusted by

the chain directory of OpenCA. This means that a certificate from another PKI can authorize operations on the used PKI if the chain of the used signature certifcate can establish a trust relationship to the actually used PKI. Alexandru Matei found the bug during a source code verification. Alexandru Matei and Michael Bell of the OpenCA core team fixed the problem for OpenCA 0.9.1 and the CVS HEAD. Vulnerability ----------------OpenCA has a library for common crypto operations - crypto-utils.lib. This library includes a function to check a signature (libCheckSignature). The function load the used signature certificate from OpenCA's database and finally ensures that the used signature certificate is identical with the certificate in the database. The comparison of the certificate in the database and the certificate of the signer was only performed on base of the serial of the certificate. The design of the function can cause the acceptance of a signature if the chain of the signature can create a trustrelationship to the chain directory of OpenCA and a certificate with a matching serial exists in the used PKI. Who is affected? -----------------All version of OpenCA including 0.9.1.6. A security risk is present for people who are using digital signatures to secure approved requests or role based access control (RBAC). Recommendations ----------------Upgrade to 0.9.1.7 and use newer snapshots than openca-SNAP-20040114.tar.gz. You can fix the problem by yourself too with the included patch. The original file which we used to create the diff is from OpenCA 0.9.1.6. -----BEGIN PATCH------- src/common/lib/functions/crypto-utils.lib 2004-01-15 12:10:45.000000000 +0100 +++ src/common/lib/functions/crypto-utils.lib.new 2004-01-15 12:10:06.000000000 +0100 @@ -201,7 +201,7 @@ "__ERRVAL__", $OpenCA::X509::errval); return undef; } last if ( $tmpCert->getSerial() eq $sigCert->getSerial() ); + last if ( $tmpCert->getPEM() eq $sigCert->getPEM() ); $sigCert = undef; } -----END PATCH-----

References -----------The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0004 to this issue. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0004 URL for this Security Advisory: http://www.openca.org/news/CAN-2004-0004.txt