Vulnerability Note VU#845620
Multiple RSA implementations fail to properly handle signatures
Overview
Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures.
Description
RSA signatures are used to authenticate the source of a message. To prevent RSA signatures from being forged, messages are padded with data to ensure message hashes are adequately sized. One such padding scheme is specified in the Public-Key Cryptography Standard #1 (PKCS-1), which is defined in RFC 3447. Many RSA implementations may fail to properly verify signatures. Specifically, the verifier may incorrectly parse PKCS-1 padded signatures, ignoring data at the end of a signature. If this data is ignored and a RSA key with a public exponent of three is used, it may be possible to forge the signing key's signature. |
Impact
This vulnerability may allow an attacker to forge an RSA signature. |
Solution
Check with your vendor |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Appgate Network Security | Affected | 08 Sep 2006 | 13 Sep 2006 |
| Apple Computer, Inc. | Affected | - | 08 Jan 2007 |
| AttachmateWRQ, Inc. | Affected | 06 Sep 2006 | 20 Oct 2006 |
| Avaya, Inc. | Affected | 08 Sep 2006 | 18 Sep 2006 |
| Blue Coat Systems | Affected | - | 08 Jan 2007 |
| Cisco Systems, Inc. | Affected | 08 Sep 2006 | 13 Nov 2006 |
| Debian GNU/Linux | Affected | 08 Sep 2006 | 03 Oct 2006 |
| F5 Networks, Inc. | Affected | 06 Sep 2006 | 11 Sep 2006 |
| FreeBSD, Inc. | Affected | 08 Sep 2006 | 11 Sep 2006 |
| Gentoo Linux | Affected | 08 Sep 2006 | 03 Oct 2006 |
| GnuTLS | Affected | - | 20 Sep 2006 |
| Hewlett-Packard Company | Affected | 08 Sep 2006 | 13 Nov 2006 |
| IAIK Java Group | Affected | 06 Sep 2006 | 20 Oct 2006 |
| IBM Corporation | Affected | 08 Sep 2006 | 08 Jan 2007 |
| Internet Software Consortium | Affected | - | 19 Jan 2007 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
- http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/
- http://www.openssl.org/news/secadv_20060905.txt
- http://secunia.com/advisories/21709/
- http://www.rsasecurity.com/rsalabs/node.asp?id=2125
- http://www.ietf.org/rfc/rfc3447.txt
- http://www.securityfocus.com/bid/22083
Credit
This vulnerability was reported by Daniel Bleichenbacher.
This document was written by Jeff Gennari.
Other Information
- CVE IDs: CVE-2006-4339
- Date Public: 05 Sep 2006
- Date First Published: 21 Sep 2006
- Date Last Updated: 08 Feb 2007
- Severity Metric: 7.56
- Document Revision: 95
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.