Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                       ESB-2009.0195 -- [Appliance]
           Nortel Response to OpenSSL 'EVP_VerifyFinal' Function
                   Signature Verification Vulnerability
                               3 March 2009


        AusCERT Security Bulletin Summary

Product:              OpenSSL
Publisher:            Nortel
Operating System:     Network Appliance
Impact:               Provide Misleading Information
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-5077

Ref:                  AA-2009.0029

Original Bulletin:    

- --------------------------BEGIN INCLUDED TEXT--------------------

Nortel Response to OpenSSL 'EVP_VerifyFinal' Function Signature Verification

BULLETIN ID: 2009009350, Rev 1
PUBLISHED: 2009-02-26
STATUS: Active
PRIORITY: Critical
TYPE: Security Advisory

1. OpenSSL 07-Jan-2009 -
2. CVE-2008-5077 -
3. Secunia SA33338 - http://secunia.com/advisories/33338/

A vulnerability has been reported in OpenSSL, which can be exploited by 
malicious people to conduct spoofing attacks. Some Nortel products contain 
this software as a component and thus are potentially affected. This bulletin 
provides a multi-product consolidated response for the Nortel products which 
are potentially affected.

The vulnerability is caused due to certain OpenSSL functions not correctly 
verifying the return value of the "EVP_VerifyFinal()" function when validating 
the signature of DSA and ECDSA keys. This can be exploited to bypass the 
signature check, such as by sending a specially crafted signature of a 
certificate chain to a client. Successful exploitation requires that the 
server uses a certificate containing a DSA or ECDSA key.

Please refer to the vendor link for additional information - 

This bulletin addresses the following CVE:
- - CVE-2008-5077 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077)
OpenSSL 0.9.8i and earlier does not properly check the return value from the 
EVP_VerifyFinal function, which allows remote attackers to bypass validation 
of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA

Before taking any action please ensure that you are viewing the latest 
official version of this security advisory by referencing 

Please refer to the links provided in the Source section for additional 
information about the vulnerabilities addressed and the vendor fix. Please 
refer to the Resolution section for Nortel-specific recommendations.

Please refer to the links provided in the Source section for additional 
information about the vulnerabilities addressed and the vendor fix. Please 
refer to the Resolution section for Nortel-specific recommendations.

Please refer to the links provided in the Source section for additional 
information about the vulnerabilities addressed and the vendor fix. Please 
refer to the Resolution section for Nortel-specific recommendations.

Please refer to the links provided in the Overview section for additional 
information about the vulnerabilities addressed and the vendor fix. Please 
refer to the Resolution section for Nortel-specific recommendations.

1. The following products are potentially vulnerable to this issue in that, 
while there is no direct dependency with the Nortel product, the affected 
component is incorporated. Please refer to product-specific text below for 
instructions on how to proceed.

3rd-Party - Sun Platform-OAME
Carrier VoIP - MG 9000
. The risk is low because: a) We do not see DSA/ECDSA used in our system. 
b) It's hard to attack by this way (it requires the specially crafted 
certificates and to inject it into the system, root permission is required). 
Nortel does not recommend applying a fix at this time.

Self-Service - Media Processing Svr 500, Media Processing Svr 1000, Peri 
. The following patches are under development and will be released as soon as 
- - PERIdist, dist2.0.0.55 (Windows only - prerequisite for both vxml and htmls)
- - PERIvxml, vxml2.3.0.61 (Solaris and Windows)
- - htmls2.0.0.19 (Solaris and Windows)
- - SUN vendor ssl patch for Solaris 10
The following patch is under test and will be released shortly:
- - openssh for Solaris 8 only (NPopenSSH version 5.1.p1)
Please request released patches through the normal channel for installation.

Switched Firewall - 5300 (SFA-AD3), 5400 (SFA-AD4), 5600 (SFA-184), 5700 
(SFA-185), SF-5014, SFA-6400, SFA-6600
. Fix is planned for release 4.2.5 due in June 2009.

VPN Gateway - 3050, 3070
VPN Router - SSL VPN Module 1000
. The security exposure of a successful attack is high because confidential 
information is subject to exposure to the attacker. The risk of a successful 
implementation of the exploit is low due to the logistical difficulty in 
setting up an attack.
The following actions mitigate or address this vulnerability:
1. Security measures that prevent a potential attacker from modifying 
configuration in the VPN Gateway and intranet DNS servers.
2. Use of RSA key rather than DSA and ECDSA keys.
3. Upgrade VPN Gateway software to release V7.0.7.1 or V7.1.3
Release V7.0.7.1 is available by contacting Nortel customer support. Release 
V7.1.3 will be generally available in April 2009.
2. The following products are not vulnerable to this security issue. Please 
review the list below to see any additional product-specific comments.

ENSM - IP Address Manager

3. The following Nortel Generally Available products have not completed 
investigation to determine their vulnerability to the security issues. It is 
not recommended to apply the fix until Nortel's investigation is complete. 
This bulletin will be reissued if Nortel's investigation results in any change 
to this recommendation.

Carrier VoIP - IAD 1104S
DMS - PSP-Switching
ENSM - IP Address Manager
Enterprise VoIP - TM-CS1000, CS 1000M Chassis/Cabinet, CS 1000S
Ethernet Rtng Switch 8661
Meridian Core - Option 11C - Cabinet, Option 11C - Chassis, Option 51C, 
Option 61C, Option 81C
Meridian SL100 - CS 2100, CS 2100-Compact
Multimedia Comm. - MCS5100, MCS5200
Multiservice Switch - MDM
Services Edge Router - SER Bootrom, iSOS
SSL Accelerator - SSL Acc 100, SSL Acc 310, SSL Acc 310 FIPS, SSL Acc 410
Switched Firewall - 5400 (SFA-AD4), ASF-5024, ASF-5105, ASF-5112, ASF-5130, 
SF-5106, SF-5109, SF-5114, SF/VPN 5124
Threat Protection - TPS 2050IS, TPS 2070DC, TPS 2070IS, TPS 2150IS, TPS 2170IS,
TPS 2050TI, TPS 2070TI
USP - BB-STP, Signalling Gateway Blade
VPN Router - 221, 251, 1010, 1050, 1100, 1700, 1740, 1750, 2700, 5000
VPN Router - Contivity 2600, Contivity 4500, Contivity 4600
WiMAX - NMS 5100 Core Manager

For more information from Nortel:
Please contact your next level of support or visit 
http://www.nortel.com/contact for support numbers within your region.
Nortel security advisories: http://www.nortel.com/securityadvisories
Nortel Partner Information Center (PIC) website: http://www.nortel.com/pic

There are no attachments for this bulletin

Products and Releases:
The information in this bulletin is intended to be used with the following 
products and associated releases:

3rd Party-Sun-Sun Platform-OAME
CDMA-Packet Core-HA
CDMA-Packet Core-PDSN FA
CDMA-Network Management-W-NMS-CNM
Carrier VoIP-IAD-IAD 1104S
Carrier VoIP-Media Gateways-MG 9000
DMS-Network Management-PSP-Switching
ENSM-IP Address Manager-IP Address Manager
Enterprise VoIP-Core-CS 1000M Chassis/Cabinet
Enterprise VoIP-Core-CS 1000S
Enterprise VoIP-Applications-TM-CS1000
Ethernet Rtng Switch-Ethrnt Rtng Swt 8600-Ethernet Rtng Switch 8661
Meridian-SL100-CS 2100
Meridian-SL100-CS 2100-Compact
Meridian-Core-Option 11C - Cabinet
Meridian-Core-Option 11C - Chassis
Meridian-Core-Option 51C
Meridian-Core-Option 61C
Meridian-Core-Option 81C
Multimedia Comm.-MCS5100-MCS5100
Multimedia Comm.-MCS5200-MCS5200
Multiservice Switch-Network Management-MDM
SSL Accelerator-SSL Accelerator-SSL Acc 100
SSL Accelerator-SSL Accelerator-SSL Acc 310
SSL Accelerator-SSL Accelerator-SSL Acc 310 FIPS
SSL Accelerator-SSL Accelerator-SSL Acc 410
Self-Service-Media Processing Svr-Media Processing Svr 1000
Self-Service-Media Processing Svr-Media Processing Svr 500
Self-Service-Self-Service-Peri Application
Services Edge Router-5500-SER Bootrom
Services Edge Router-5500-iSOS
Switched Firewall-Switched Firewall-5300 (SFA-AD3)
Switched Firewall-Switched Firewall-5400 (SFA-AD4)
Switched Firewall-Switched Firewall-5600 (SFA-184)
Switched Firewall-Switched Firewall-5700 (SFA-185)
Switched Firewall-Switched Firewall-ASF-5024
Switched Firewall-Switched Firewall-ASF-5105
Switched Firewall-Switched Firewall-ASF-5112
Switched Firewall-Switched Firewall-ASF-5130
Switched Firewall-Switched Firewall-SF-5014
Switched Firewall-Switched Firewall-SF-5106
Switched Firewall-Switched Firewall-SF-5109
Switched Firewall-Switched Firewall-SF-5114
Switched Firewall-Switched Firewall-SF/VPN 5124
Switched Firewall-Switched Firewall-SFA-6400
Switched Firewall-Switched Firewall-SFA-6600
Threat Protection-TPS 2000-TPS 2050IS
Threat Protection-TPS 2000-TPS 2050TI
Threat Protection-TPS 2000-TPS 2070DC
Threat Protection-TPS 2000-TPS 2070IS
Threat Protection-TPS 2000-TPS 2070TI
Threat Protection-TPS 2000-TPS 2150IS
Threat Protection-TPS 2000-TPS 2170IS
USP (SS7 Signaling)-Signaling Server-BB-STP
USP (SS7 Signaling)-Signaling Gtwy Blade-Signaling Gateway Blade
VPN Gateway-VPN Gateway-VPN 3050
VPN Gateway-VPN Gateway-VPN 3070
VPN Router-2000-Contivity 2600
VPN Router-4000-Contivity 4500
VPN Router-4000-Contivity 4600
VPN Router-SSL VPN-SSL VPN Module 1000
VPN Router-1000-VPN Router 1010
VPN Router-1000-VPN Router 1050
VPN Router-1000-VPN Router 1100
VPN Router-1000-VPN Router 1700
VPN Router-1000-VPN Router 1740
VPN Router-1000-VPN Router 1750
VPN Router-200-VPN Router 221
VPN Router-200-VPN Router 251
VPN Router-2000-VPN Router 2700
VPN Router-5000-VPN Router 5000
VPN Router-600-VPN Router 600
WiMAX-Network Management-NMS 5100 Core Manager

To view the most recent version of this bulletin, access technical 
documentation, search our knowledge base, or to contact a Technical Support 
Representative, please visit Nortel Technical Support on the web at: 
http://support.nortel.com/. You may also sign up to receive automatic email 
alerts when new bulletins are published.

REFERENCE: CVE-2008-5077

Copyright 2007 Nortel Networks. All rights reserved. Information in this 
document is subject to change without notice. Nortel assumes no responsibility
for any errors that may appear in this document. The information in this 
document is proprietary to Nortel Networks.

Nortel recommends any maintenance activities, such as those outlined in this 
bulletin, be completed during a local maintenance window.

Nortel, the Nortel logo, and the Globemark design are trademarks of Nortel 
Networks. All other trademarks are the property of their respective owners.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967