漏洞信息详情
NTP 函数OpenSSL EVP_VerifyFinal 安全绕过漏洞
- CNNVD编号:CNNVD-200901-058
- 危害等级: 中危
- CVE编号: CVE-2009-0021
- 漏洞类型: 授权问题
- 发布时间: 2009-01-07
- 威胁类型: 远程
- 更新时间: 2009-05-16
- 厂 商: ntp
- 漏洞来源: Google安全小组
漏洞简介
NTP (Network Time Protocol)是一款客户端用于与时间服务器同步日期和时间的协议。
OpenSSL是OpenSSL团队开发的一个开源的能够实现安全套接层(SSL v2/v3)和安全传输层(TLS v1)协议的通用加密库,它支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。
NTP 没有正确处理函数OpenSSL EVP_VerifyFinal返回值,使系统存在安全绕过漏洞。远程攻击者可以通过为DSA和ECDSA key伪造SSL/TLS签名绕过证书链表符合性检查。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Ubuntu Ubuntu Linux 7.10 powerpc
Ubuntu bind9-doc_9.4.1-P1-3ubuntu2.1_all.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-doc_9.4.1-P1 -3ubuntu2.1_all.deb
Ubuntu bind9-host_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-host_9.4.1-P 1-3ubuntu2.1_powerpc.deb
Ubuntu bind9_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.4.1-P1-3ub untu2.1_powerpc.deb
Ubuntu dnsutils_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/dnsutils_9.4.1-P1- 3ubuntu2.1_powerpc.deb
Ubuntu libbind-dev_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind-dev_9.4.1- P1-3ubuntu2.1_powerpc.deb
Ubuntu libbind9-30_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind9-30_9.4.1- P1-3ubuntu2.1_powerpc.deb
Ubuntu libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_powerpc.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8e-5ubuntu3.3_powerpc.udeb
Ubuntu libdns32_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libdns32_9.4.1-P1- 3ubuntu2.1_powerpc.deb
Ubuntu libisc32_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisc32_9.4.1-P1- 3ubuntu2.1_powerpc.deb
Ubuntu libisccc30_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccc30_9.4.1-P 1-3ubuntu2.1_powerpc.deb
Ubuntu libisccfg30_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccfg30_9.4.1- P1-3ubuntu2.1_powerpc.deb
Ubuntu liblwres30_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/liblwres30_9.4.1-P 1-3ubuntu2.1_powerpc.deb
Ubuntu libssl-dev_0.9.8e-5ubuntu3.3_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 e-5ubuntu3.3_powerpc.deb
Ubuntu libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8e-5ubuntu3.3_powerpc.deb
Ubuntu libssl0.9.8_0.9.8e-5ubuntu3.3_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8e-5ubuntu3.3_powerpc.deb
Ubuntu lwresd_9.4.1-P1-3ubuntu2.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/universe/b/bind9/lwresd_9.4.1-P 1-3ubuntu2.1_powerpc.deb
Ubuntu openssl_0.9.8e-5ubuntu3.3_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5 ubuntu3.3_powerpc.deb
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu bind9-doc_9.5.0.dfsg.P2-1ubuntu3.1_all.deb
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-doc_9.5.0.df sg.P2-1ubuntu3.1_all.deb
Ubuntu bind9-host_9.5.0.dfsg.P2-1ubuntu3.1_powerpc.deb
http://ports.ubuntu.com/pool/main/b/bind9/bind9-host_9.5.0.dfsg.P2-1ub untu3.1_powerpc.deb
Ubuntu bind9_9.5.0.dfsg.P2-1ubuntu3.1_powerpc.deb
http://ports.ubuntu.com/pool/main/b/bind9/bind9_9.5.0.dfsg.P2-1ubuntu3 .1_powerpc.deb
Ubuntu bind9utils_9.5.0.dfsg.P2-1ubuntu3.1_powerpc.deb
http://ports.ubuntu.com/pool/main/b/bind9/bind9utils_9.5.0.dfsg.P2-1ub untu3.1_powerpc.deb
Ubuntu dnsutils_9.5.0.dfsg.P2-1ubuntu3.1_powerpc.deb
http://ports.ubuntu.com/pool/main/b/bind9/dnsutils_9.5.0.dfsg.P2-1ubun tu3.1_powerpc.deb
Ubuntu libbind-dev_9.5.0.dfsg.P2-1ubuntu3.1_powerpc.deb
http://ports.ubuntu.com/pool/main/b/bind9/libbind-dev_9.5.0.dfsg.P2-1u buntu3.1_powerpc.deb
Ubuntu libbind9-40_9.5.0.dfsg.P2-1ubuntu3.1_powerpc.deb
http://ports.ubuntu.com/pool/main/b/bind9/libbind9-40_9.5.0.dfsg.P2-1u buntu3.1_powerpc.deb
Ubuntu libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_powerpc.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -10.1ubuntu2.1_powerpc.udeb
Ubuntu libdns43_9.5.0.dfsg.P2-1ubuntu3.1_powerpc.deb
http://ports.ubuntu.com/pool/main/b/bind9/libdns43_9.5.0.dfsg.P2-1ubun tu3.1_powerpc.deb
Ubuntu libisc44_9.5.0.dfsg.P2-1ubuntu3.1_powerpc.deb
http://ports.ubuntu.com/pool/main/b/bind9/libisc44_9.5.0.dfsg.P2-1ubun tu3.1_powerpc.deb
Ubuntu libisccc40_
参考网址
来源: VUPEN
名称: ADV-2009-0042
链接:http://www.frsirt.com/english/advisories/2009/0042
来源: MLIST
名称: [announce] 20090108 NTP 4.2.4p6 Released
链接:https://lists.ntp.org/pipermail/announce/2009-January/000055.HTML
来源: VUPEN
名称: ADV-2009-1297
链接:http://www.vupen.com/english/advisories/2009/1297
来源: SECTRACK
名称: 1021533
链接:http://www.securitytracker.com/id?1021533
来源: REDHAT
名称: RHSA-2009:0046
链接:http://www.redhat.com/support/errata/RHSA-2009-0046.HTML
来源: MISC
链接:http://www.ocert.org/advisories/ocert-2008-016.HTML
来源: support.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com
链接:http://support.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/kb/HT3549
来源: SLACKWARE
名称: SSA:2009-014-03
链接:http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.531177
来源: SECUNIA
名称: 35074
链接:http://secunia.com/advisories/35074
来源: SECUNIA
名称: 34642
链接:http://secunia.com/advisories/34642
来源: SECUNIA
名称: 33648
链接:http://secunia.com/advisories/33648
来源: SECUNIA
名称: 33558
链接:http://secunia.com/advisories/33558
来源: SECUNIA
名称: 33406
链接:http://secunia.com/advisories/33406
来源: SUSE
名称: SUSE-SR:2009:008
链接:http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.HTML
来源: SUSE
名称: SUSE-SR:2009:005
链接:http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.HTML
来源: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple
名称: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple-SA-2009-05-12
链接:http://lists.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/archives/security-announce/2009/May/msg00002.HTML
受影响实体
- Ntp Ntp:4.2.2
- Ntp Ntp:4.2.0
- Ntp Ntp:4.2.4p1
- Ntp Ntp:4.2.4p2
- Ntp Ntp:4.2.4p3
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论