Vulnerability CVE-2008-5410

Vulnerability Name:

CVE-2008-5410 (CCN-47137)

Assigned:

2008-12-03

Published:

2008-12-03

Updated:

2017-09-29

Summary:

The PK11_SESSION cache in the OpenSSL PKCS#11 engine in Sun Solaris 10 does not maintain reference counts for operations with asymmetric keys, which allows context-dependent attackers to cause a denial of service (failed cryptographic operations) via unspecified vectors, related to the (1) RSA_sign and (2) RSA_verify functions.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
5.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-310

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2008-5410

Source: CCN
Type: SA33050
Sun Solaris OpenSSL PKCS#11 Denial of Service Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
33050

Source: CCN
Type: SECTRACK ID: 1021358
Solaris OpenSSL PKCS#11 Engine Session Cache Bug Lets Remote or Local Users Deny Service

Source: CONFIRM
Type: Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-21-138863-02-1

Source: CONFIRM
Type: Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-21-139459-01-1

Source: SUNALERT
Type: Vendor Advisory
246846

Source: CCN
Type: Sun Alert ID: 246846
A Security Vulnerability in the OpenSSL PKCS#11 Engine May Result in Denial of Service (DoS) Due to a Corrupted Session Cache

Source: CCN
Type: ASA-2008-505
A Security Vulnerability in the OpenSSL PKCS#11 Engine May Result in Denial of Service (DoS) Due to a Corrupted Session Cache (Sun 246846)

Source: CCN
Type: NORTEL BULLETIN ID: 2009009295, Rev 1
Nortel: Technical Support: Nortel Response to Sun Alert 246846 - Solaris 10 OpenSSL PKCS#11 Engine May Result in Denial of Service (DoS)

Source: CCN
Type: OSVDB ID: 50614
Solaris OpenSSL PKCS#11 Corrupted Session Cache DoS

Source: BID
Type: UNKNOWN
32671

Source: CCN
Type: BID-32671
Sun Solaris OpenSSL 'PKCS#11' Engine Remote Denial Of Service Vulnerability

Source: SECTRACK
Type: UNKNOWN
1021358

Source: VUPEN
Type: UNKNOWN
ADV-2008-3372

Source: XF
Type: UNKNOWN
solaris-openssl-pkcs11engine-dos(47137)

Source: XF
Type: UNKNOWN
solaris-openssl-pkcs11engine-dos(47137)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:5914

Vulnerable Configuration:

Configuration 1:

cpe:/o:sun:solaris:10.0:*:sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:10.0:*:x86:*:*:*:*:*

Configuration CCN 1:

cpe:/o:sun:solaris:10::sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:10::x86:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:5914	V	A Security Vulnerability in the OpenSSL PKCS#11 Engine May Result in Denial of Service (DoS) Due to a Corrupted Session Cache	2009-02-16

BACK