[VIM] CVE-2009-0125 (fwd)
security curmudgeon
jericho at attrition.org
Tue Jan 20 23:09:26 UTC 2009
Renaud has contacted CVE about this, posting here for others.
---------- Forwarded message ----------
> From: Renaud Deraison <deraison at nessus.org>
> Date: January 18, 2009 10:43:29 PM CEST
>
> I wanted to dispute the existence of CVE-2009-0125 (libnasl misusing the
> return value of DSA_do_verify()) : while we do misuse this function (this is
> a bug), it has absolutely no security ramification.
>
> To give you some context, the function DSA_do_verify() is called by the nasl
> function dsa_do_verify() which is used when Nessus attempts to log into a
> remote SSH server.
>
> If an attacker were to control a rogue SSH server, then he would be better
> off submitting a perfectly valid signature instead of a malformed one, and we
> would log into it anyways. Hence, there is absolutely no security risk
> associated with the misuse of this function.
More information about the VIM
mailing list