NTP BUG 1111: Multiple OpenSSL signature verification API misuse

Last update: June 28, 2022 20:06 UTC (57417e17c)

Summary

Resolved	Stable (4.2.4p6) Development (4.2.5p151)	8 Jan 2009 23 Dec 2008
References	Bug 1111	CVE-2009-0021
Affects	4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150.	Resolved in 4.2.4p6 and 4.2.5p151.

Description

Affected versions do not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a different vulnerability than CVE-2008-5077 and CVE-2009-0025.

Mitigation

Credit

Timeline

2008 Dec 23: Public release
XXXX: Early Access Program Release: Premier and Partner Institutional Members
XXXX: Notification to Institutional Members
XXXX: Notification from reporter