Widespread vulnerabilities found in programs which use OpenSSL

Jan 09, 2009, 17:03 (10 Talkback[s])

"The most important affected program is ISC Bind, which is the most widely used DNS server on the internet. A flaw in its validation of signatures on DNSSEC replies means that the server may be vulnerable to DNS spoofing attacks even where DNSSEC is in use. Bind have released BIND 9.6.0-P1 this morning to fix this bug.

"The common mistake is in the checking of return values from functions in OpenSSL that check digital signatures. Programmers have failed to allow for all the possible return values of the EVP_VerifyFinal function, and as a result some cases where the signature has not been successfully checked can be mistakenly treated as successfully verified."

Complete Story

Related Stories:

• Perspectives Extension Improves HTTPS Security(Oct 22, 2008)
• Flaws Found in BSD, Linux Software Updaters(Jul 16, 2008)
• After Debian's Epic SSL Blunder, A World of Hurt for Security Pros(May 22, 2008)
• Flaws Reported in Validated OpenSSL Module v1.1.1(Nov 30, 2007)
• All Systems Go for Validation of Updated OpenSSL Module(Sep 13, 2007)