Vulnerabilities > CVE-2008-5410 - Cryptographic Issues vulnerability in SUN Solaris 10.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
The PK11_SESSION cache in the OpenSSL PKCS#11 engine in Sun Solaris 10 does not maintain reference counts for operations with asymmetric keys, which allows context-dependent attackers to cause a denial of service (failed cryptographic operations) via unspecified vectors, related to the (1) RSA_sign and (2) RSA_verify functions.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Solaris Local Security Checks NASL id SOLARIS10_139459.NASL description SunOS 5.10: libcrypto.so.0.9.7 patch. Date this patch was last updated by Sun : Dec/02/08 last seen 2018-09-01 modified 2018-08-13 plugin id 35201 published 2008-12-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=35201 title Solaris 10 (sparc) : 139459-01 NASL family Solaris Local Security Checks NASL id SOLARIS10_139459-01.NASL description SunOS 5.10: libcrypto.so.0.9.7 patch. Date this patch was last updated by Sun : Dec/02/08 last seen 2020-06-01 modified 2020-06-02 plugin id 107513 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107513 title Solaris 10 (sparc) : 139459-01 NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_138863.NASL description SunOS 5.10_x86: libcrypto.so.0.9.7 patch. Date this patch was last updated by Sun : Dec/02/08 last seen 2018-09-01 modified 2018-08-13 plugin id 35210 published 2008-12-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=35210 title Solaris 10 (x86) : 138863-02
Oval
| accepted | 2009-02-16T04:00:23.547-05:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | The PK11_SESSION cache in the OpenSSL PKCS#11 engine in Sun Solaris 10 does not maintain reference counts for operations with asymmetric keys, which allows context-dependent attackers to cause a denial of service (failed cryptographic operations) via unspecified vectors, related to the (1) RSA_sign and (2) RSA_verify functions. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:5914 | ||||||||
| status | accepted | ||||||||
| submitted | 2009-01-05T16:39:26.000-05:00 | ||||||||
| title | A Security Vulnerability in the OpenSSL PKCS#11 Engine May Result in Denial of Service (DoS) Due to a Corrupted Session Cache | ||||||||
| version | 35 |
References
- http://secunia.com/advisories/33050
- http://sunsolve.sun.com/search/document.do?assetkey=1-21-138863-02-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-21-139459-01-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-246846-1
- http://www.securityfocus.com/bid/32671
- http://www.securitytracker.com/id?1021358
- http://www.vupen.com/english/advisories/2008/3372
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47137
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5914