|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#724968
RSA key reconstruction vulnerability
OverviewVarious implementations of RSA may contain a vulnerability that could allow an attacker to retrieve encryption keys.
I. DescriptionSome implementations of RSA may contain a vulnerability that could allow a local attacker to retrieve encryption keys.
OpenSSL is a widely used open source implementation of the SSL and TLS protocols. OpenSSL is based on the SSLeay library. OpenSSL provides support for the RSA encryption algorithm. Note that vendors may include a vulnerable version of OpenSSL in web servers, VPN, or other products.
II. ImpactAn attacker could possibly decrypt messages that were encrypted with OpenSSL using RSA algorithm.
III. SolutionApply a patch
OpenSSL has released a patch to address this issue. See http://openssl.org/news/patch-CVE-2007-3108.txt for more details. See the systems affected portion of this document for a partial list of other vendors who may be affected.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| America Online, Inc. | Unknown | 28-Jun-2007 |
| Apache-SSL | Unknown | 28-Jun-2007 |
| Apache HTTP Server Project | Unknown | 28-Jun-2007 |
| Apple Computer, Inc. | Unknown | 1-Aug-2007 |
| Aruba Networks, Inc. | Unknown | 28-Jun-2007 |
| AttachmateWRQ, Inc. | Unknown | 28-Jun-2007 |
| Certicom | Unknown | 28-Jun-2007 |
| Conectiva Inc. | Unknown | 1-Aug-2007 |
| Covalent Technologies | Unknown | 28-Jun-2007 |
| Cray Inc. | Unknown | 1-Aug-2007 |
| Cryptlib | Unknown | 2-Aug-2007 |
| Crypto++ Library | Unknown | 28-Jun-2007 |
| Debian GNU/Linux | Unknown | 1-Aug-2007 |
| EMC Corporation | Unknown | 1-Aug-2007 |
| Engarde Secure Linux | Unknown | 1-Aug-2007 |
| F-Secure Corporation | Unknown | 31-Jul-2007 |
| F5 Networks, Inc. | Unknown | 28-Jun-2007 |
| Fedora Project | Unknown | 1-Aug-2007 |
| FreeBSD, Inc. | Unknown | 1-Aug-2007 |
| Fujitsu | Unknown | 1-Aug-2007 |
| Gentoo Linux | Unknown | 1-Aug-2007 |
| Hewlett-Packard Company | Unknown | 1-Aug-2007 |
| Hitachi | Unknown | 1-Aug-2007 |
| IAIK Java Group | Unknown | 28-Jun-2007 |
| IBM Corporation | Unknown | 1-Aug-2007 |
| IBM Corporation (zseries) | Unknown | 1-Aug-2007 |
| IBM eServer | Unknown | 1-Aug-2007 |
| Immunix Communications, Inc. | Unknown | 1-Aug-2007 |
| Ingrian Networks, Inc. | Unknown | 28-Jun-2007 |
| Juniper Networks, Inc. | Unknown | 1-Aug-2007 |
| Lotus Software | Unknown | 28-Jun-2007 |
| lsh | Unknown | 28-Jun-2007 |
| Mandriva, Inc. | Unknown | 1-Aug-2007 |
| Microsoft Corporation | Unknown | 28-Jun-2007 |
| Mirapoint, Inc. | Unknown | 28-Jun-2007 |
| mod_ssl | Unknown | 28-Jun-2007 |
| MontaVista Software, Inc. | Unknown | 1-Aug-2007 |
| Mozilla | Unknown | 28-Jun-2007 |
| NEC Corporation | Unknown | 1-Aug-2007 |
| NetBSD | Unknown | 1-Aug-2007 |
| Netscape NSS | Unknown | 28-Jun-2007 |
| Nokia | Unknown | 28-Jun-2007 |
| Novell, Inc. | Unknown | 1-Aug-2007 |
| OpenBSD | Unknown | 1-Aug-2007 |
| OpenSSH | Unknown | 13-Aug-2007 |
| OpenSSL | Vulnerable | 2-Aug-2007 |
| Openwall GNU/*/Linux | Unknown | 1-Aug-2007 |
| QNX, Software Systems, Inc. | Unknown | 1-Aug-2007 |
| Red Hat, Inc. | Unknown | 1-Aug-2007 |
| RSA Security, Inc. | Unknown | 28-Jun-2007 |
| Secure Computing Network Security Division | Unknown | 27-Aug-2007 |
| Silicon Graphics, Inc. | Unknown | 1-Aug-2007 |
| Slackware Linux Inc. | Unknown | 1-Aug-2007 |
| Sony Corporation | Unknown | 1-Aug-2007 |
| Spyrus | Unknown | 28-Jun-2007 |
| Stunnel | Unknown | 28-Jun-2007 |
| Sun Microsystems, Inc. | Unknown | 28-Jun-2007 |
| SUSE Linux | Unknown | 1-Aug-2007 |
| The SCO Group | Unknown | 1-Aug-2007 |
| Trustix Secure Linux | Unknown | 1-Aug-2007 |
| Turbolinux | Unknown | 1-Aug-2007 |
| Ubuntu | Unknown | 1-Aug-2007 |
| Unisys | Unknown | 1-Aug-2007 |
| Wind River Systems, Inc. | Unknown | 1-Aug-2007 |
References
http://openssl.org/news/patch-CVE-2007-3108.txt
http://cvs.openssl.org/chngview?cn=16275
http://www.openssl.org/docs/apps/rsa.html#
http://en.wikipedia.org/wiki/Rsa
Credit
Thanks to Dr. Onur Aciicmez, Samsung Information Systems America, Samsung Electronics R&D Center, USA, and Prof. Werner Schindler, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany for reporting this vulnerability.
This document was written by Ryan Giobbi.
Other Information
| Date Public: | 2007-08-02 |
| Date First Published: | 2007-08-01 |
| Date Last Updated: | 2007-08-28 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2007-3108 |
| NVD-ID(s): | CVE-2007-3108 |
| US-CERT Technical Alerts: | |
| Metric: | 1.77 |
| Document Revision: | 25 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader