CVE-2009-0591

The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Openssl	Openssl	0.9.8h (including)	0.9.8h (including)
Openssl	Openssl	0.9.8i (including)	0.9.8i (including)
Openssl	Openssl	0.9.8j (including)	0.9.8j (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc
http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html
http://marc.info/?l=bugtraq\u0026m=124464882609472\u0026w=2
http://marc.info/?l=bugtraq\u0026m=127678688104458\u0026w=2
http://secunia.com/advisories/34411
http://secunia.com/advisories/34460
http://secunia.com/advisories/34666
http://secunia.com/advisories/35065
http://secunia.com/advisories/35380
http://secunia.com/advisories/35729
http://secunia.com/advisories/36701
http://secunia.com/advisories/42724
http://secunia.com/advisories/42733
http://securitytracker.com/id?1021907
http://sourceforge.net/project/shownotes.php?release_id=671059\u0026group_id=116847
http://support.apple.com/kb/HT3865
http://voodoo-circle.sourceforge.net/sa/sa-20090326-01.html
http://www.openssl.org/news/secadv_20090325.txt
http://www.osvdb.org/52865
http://www.php.net/archive/2009.php#id2009-04-08-1
http://www.securityfocus.com/bid/34256
http://www.vupen.com/english/advisories/2009/0850
http://www.vupen.com/english/advisories/2009/1020
http://www.vupen.com/english/advisories/2009/1175
http://www.vupen.com/english/advisories/2009/1548
https://exchange.xforce.ibmcloud.com/vulnerabilities/49432
https://kb.bluecoat.com/index?page=content\u0026id=SA50

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-0591
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References