The library routines package for NASL (the scripting language designed for the Nessus security scanner) incorrectly checked the result after
calling the DSA_do_verify function, allowing a malformed signature
to be treated as a good signature rather than as an error. This issue
affected the signature checks on DSA keys used with SSL/TLS.
Relevant part of the code (nasl/nasl_crypto2.c):
647 if (DSA_do_verify((unsigned char*)data, datalen, sig, dsa))
648 retc->x.i_val = 1;
- if (DSA_do_verify((unsigned char*)data, datalen, sig, dsa))
+ if (DSA_do_verify((unsigned char*)data, datalen, sig, dsa) == 1)
This issue is related with recent OpenSSL's CVE-2008-5077 flaw.
This issue affects all versions of the libnasl package, as shipped
with Fedora releases of 9, 10 and devel.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0125 to
the following vulnerability:
nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library
(aka libnasl) 2.2.11 does not properly check the return value from the
OpenSSL DSA_do_verify function, which allows remote attackers to
bypass validation of the certificate chain via a malformed SSL/TLS
signature, a similar vulnerability to CVE-2008-5077.
Nessus upstream authors disputed this as a security issue:
So while this is a bug, it's not considered security issue upstream.
libnasl-2.2.11-3.fc10, nessus-core-2.2.11-1.fc10, nessus-libraries-2.2.11-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
libnasl-2.2.11-3.fc9, nessus-core-2.2.11-1.fc9, nessus-libraries-2.2.11-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.