F-Secure Corporation Information for VU#845620

Multiple RSA implementations fail to properly handle signatures

Status

Not Affected

Vendor Statement

F-Secure antivirus products are not vulnerable. The list of non-vulnerable products includes F-Secure Anti-Virus, F-Secure Internet Security, F-Secure Client Security, F-Secure Server Security, F-Secure Mobile Security, F-Secure Messaging Security Gateway, F-Secure Network Control, and all other products in F-Secure small business and corporate suites, also listed at http://www.f-secure.com/enterprises/products/.

F-Secure VPN+ versions up to version 6.12 are vulnerable in installations that use PKI CA issued certificates, which use third-party generated keys. The RSA key generator in F-Secure products has never allowed the generation of RSA keys with a public exponent of 3. This means that keys created with F-Secure tools cannot be used to mount an attack against F-Secure products or other systems.

The F-Secure SSH product line is exclusively distributed by Attachmate under the Reflection for Secure IT brand. Please see the vendor statement from Attachmate for more information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.