Gale EVP_VerifyFinal() Security Bypass Vulnerability Network Vulnerability

Summary

The host is running Gale and is prone to security bypass vulnerability.

Impact

Successful exploitation could allow remote attackers to bypass the certificate validation checks and can cause spoofing attacks via signature checks on DSA and ECDSA keys used with SSL/TLS. Impact Level: System/Application

Solution

No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. For updates refer to http://www.gale.org/

Insight

The flaw is due to improper validation of return value in EVP_VerifyFinal function of openssl.

Affected

Gale version 0.99 and prior on Linux.

References

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0047
http://www.ocert.org/advisories/ocert-2008-016.html
http://www.securityfocus.com/archive/1/499855

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-0047

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Apache CouchDB Web Administration Interface Cross Site Scripting Vulnerability
Aardvark Topsites Multiple Vulnerabilities
aMSN session hijack vulnerability (Windows)
Adobe Digital Edition Information Disclosure Vulnerability (Windows)
Apple Safari JavaScript Implementation Information Disclosure Vulnerability (Windows)

Take action and discover your vulnerabilities