CVE-2009-0265 - OpenCVE

Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Isc	Bind

Configuration 1 [-]

cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*

References

Link	Resource
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33	Mailing List
http://secunia.com/advisories/33559	Broken Link Vendor Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.540362	Mailing List Patch
http://www.mandriva.com/security/advisories?name=MDVSA-2009:037	Broken Link
http://www.vupen.com/english/advisories/2009/0043	Broken Link
https://www.isc.org/node/373	Broken Link Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-01-26T15:05:00

Updated: 2009-01-29T10:00:00

Reserved: 2009-01-26T00:00:00

Link: CVE-2009-0265

JSON object: View

NVD Information

Status : Analyzed

Published: 2009-01-26T15:30:04.890

Modified: 2024-02-13T17:43:48.037

Link: CVE-2009-0265

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-01-07T00:00:00", "descriptions": [{"lang": "en", "value": "Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-01-29T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "MDVSA-2009:037", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:037"}, {"name": "33559", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33559"}, {"name": "ADV-2009-0043", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/0043"}, {"name": "SSA:2009-014-02", "tags": ["vendor-advisory", "x_refsource_SLACKWARE"], "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.540362"}, {"tags": ["x_refsource_MISC"], "url": "http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.isc.org/node/373"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-0265", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "MDVSA-2009:037", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:037"}, {"name": "33559", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33559"}, {"name": "ADV-2009-0043", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/0043"}, {"name": "SSA:2009-014-02", "refsource": "SLACKWARE", "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.540362"}, {"name": "http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33", "refsource": "MISC", "url": "http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33"}, {"name": "https://www.isc.org/node/373", "refsource": "CONFIRM", "url": "https://www.isc.org/node/373"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-0265", "datePublished": "2009-01-26T15:05:00", "dateReserved": "2009-01-26T00:00:00", "dateUpdated": "2009-01-29T10:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EFE1A82-B875-4840-A5C0-5A2189D73606", "versionEndIncluding": "9.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025."}, {"lang": "es", "value": "Internet Systems Consortium (ISC) BIND en versiones 9.6.0 y anteriores no comprueba adecuadamente el valor de retorno de la funci\u00f3n EVP_VerifyFinal de OpenSSL, lo cual permite a atacantes remotos eludir la validaci\u00f3n del certificado a trav\u00e9s de una firma SSL/TLS malformada, se trata de una vulnerabilidad similar a CVE-2008-5077 y CVE-2009-0025."}], "id": "CVE-2009-0265", "lastModified": "2024-02-13T17:43:48.037", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2009-01-26T15:30:04.890", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Vendor Advisory"], "url": "http://secunia.com/advisories/33559"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.540362"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:037"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2009/0043"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://www.isc.org/node/373"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Not vulnerable. This issue did not affect the versions of BIND as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.", "lastModified": "2009-01-26T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}