Lasso OpenSSL "DSA_verify()" Spoofing Vulnerability

Release Date: 2009-01-08 Views: 3,651

Secunia Advisory SA33449

Where:

From remote

Impact:

Spoofing,

Solution Status:

Vendor Workaround

Software:

Lasso 2.x

CVE Reference(s):

CVE-2009-0050

Description

A vulnerability has been reported in Lasso, which can be exploited by malicious people to conduct spoofing attacks.

The vulnerability is caused due to the library incorrectly verifying the return value of the "DSA_verify()" OpenSSL function when validating signatures and can be exploited to potentially spoof server responses.

The vulnerability is reported in version 2.2.1. Other versions may also be affected.

Solution:
Fixed in the SVN repository.

Further details available to Secunia VIM customers

Provided and/or discovered by:
Originally reported in OpenSSL by the Google Security Team.

Reported in Lasso by oCERT.

Original Advisory:
oCERT:
http://www.ocert.org/advisories/ocert-2008-016.html

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Lasso OpenSSL "DSA_verify()" Spoofing Vulnerability

No posts yet

Lasso OpenSSL "DSA_verify()" Spoofing Vulnerability

Secunia Advisory SA33449

Description

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?