CVE-2002-1446
CVSS5.0
发布时间 :2002-08-01 00:00:00
修订时间 :2008-09-05 16:30:37
NMCOS    

[原文]The error checking routine used for the C_Verify call on a symmetric verification key in the nCipher PKCS#11 library 1.2.0 and later returns the CKR_OK status even when it detects an invalid signature, which could allow remote attackers to modify or forge messages.


[CNNVD]nCipher PKCS#11对称消息签名验证漏洞(CNNVD-200208-001)

        nCipher PKCS#11 库1.2.0之后版本的对称密钥验证中用于C_Verify调用的错误检查惯例在即使删除有效签名时仍返回CKR_OK状态。远程攻击者可以利用该漏洞修改或伪造消息。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1446
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1446
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-001
(官方数据源) CNNVD

- 其它链接及资源

http://www.ncipher.com/support/advisories/advisory5_c_verify.html
(PATCH)  CONFIRM  http://www.ncipher.com/support/advisories/advisory5_c_verify.html
http://www.securityfocus.com/bid/5498
(UNKNOWN)  BID  5498
http://www.iss.net/security_center/static/9895.php
(UNKNOWN)  XF  ncipher-cverify-improper-verification(9895)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0172.html
(UNKNOWN)  BUGTRAQ  20020819 nCipher Advisory #5: C_Verify validates incorrect symmetric signatures

- 漏洞信息

nCipher PKCS#11对称消息签名验证漏洞
中危 设计错误
2002-08-01 00:00:00 2005-06-06 00:00:00
远程  
        nCipher PKCS#11 库1.2.0之后版本的对称密钥验证中用于C_Verify调用的错误检查惯例在即使删除有效签名时仍返回CKR_OK状态。远程攻击者可以利用该漏洞修改或伪造消息。
        

- 公告与补丁

        nCipher reports that updated versions of the library are available for Microsoft Windows, Linux, AIX, Solaris and HP-UX. Customers are advised to contact the vendor for updates, or to check the availability of fixes for other platforms.

- 漏洞信息

14876
nCipher PKCS#11 Library C_Verify Call Error Routine Failure

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-08-19 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

nCipher PKCS#11 Symmetric Message Signature Verification Vulnerability
Design Error 5498
No No
2002-08-19 12:00:00 2009-07-11 03:56:00
Published in an nCipher Security Advisory.

- 受影响的程序版本

nCipher nShield
nCipher nForce
nCipher nFast 800
nCipher nFast 75
nCipher nFast 300
nCipher nFast 150

- 不受影响的程序版本

nCipher nFast 800
nCipher nFast 75
nCipher nFast 300
nCipher nFast 150

- 漏洞讨论

nCipher produces a range of hardware and software security products which support a range of cryptographic operations. A vulnerability has been reported in the nCipher cryptographic library.

When messages signed with symmetric keys according to the RSA PKCS#11 specification are checked, invalid signatures may not be detected. The C_Verify function will return 'CKR_OK' regardless of the validity of the signature.

Applications which depend on this functionality may then fail to detect invalid signatures. Consequences of exploitation will be dependent on the product which uses the vulnerable library. It is likely that modification or injection of data in encrypted communications is possible.

This issue exists in versions 1.2.0 and later of the nCipher cryptographic library.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

nCipher reports that updated versions of the library are available for Microsoft Windows, Linux, AIX, Solaris and HP-UX. Customers are advised to contact the vendor for updates, or to check the availability of fixes for other platforms.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站