OpenCA improperly verifies certificate signatures

openca-improper-signature-verification (14847) The risk level is classified as MediumMedium Risk

Description:

OpenCA could allow a remote attacker to bypass signature verification, caused by a vulnerability in the libCheckSignature in the crypto-utils.lib library. OpenCA validates signatures improperly based only on the serial of the certificate. A remote attacker could exploit this vulnerability by using an invalid certificate to gain unauthorized access to an application using OpenCA.

Platforms Affected:

  • OpenCA, OpenCA prior to 0.9.1.7

Remedy:

Upgrade to the latest version of OpenCA (0.9.1.7 or later), available from the OpenCA Web site. See References.

Consequences:

Gain Access

References:

  • OpenCA Security Advisory [16 January 2004], Vulnerability in signature verification at http://archives.neohapsis.com/archives/bugtraq/2004-01/0125.html.
  • OpenCA Web site, OpenCA PKI Development Project at http://www.openca.org/openca/.
  • BID-9435: OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
  • BID-944: HP Path MTU Discovery DoS Vulnerability
  • CVE-2004-0004: The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users.
  • OSVDB ID: 3615: OpenCA libCheckSignature Signature Validation
  • US-CERT VU#336446: OpenCA libCheckSignature function fails to properly verify the signature of certificates

Reported:

Jan 16, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page