Some applications that perform X.509 certificate verification may be vulnerable to signature processing problems that lead to resource exhaustion. This vulnerability may cause a denial of service.
Included in X.509 certificates are public keys used for digital signature verification. Choosing very large values for the public exponent and public modulus associated with an RSA public key may cause the verification of that key to require large amounts of system resources. According to NISCC:
...by choosing much larger values for [the public exponent and the public modulus], it may be possible to cause the verification process to consume large amounts of system resources and hence result in a denial-of-service condition.
A remote, unauthenticated attacker could consume large amounts of system resources on an affected device, thereby creating a denial of service.
Upgrade or apply a patch from the vendor
Apple Computer, Inc. Affected
Avaya, Inc. Affected
Cisco Systems, Inc. Affected
Debian GNU/Linux Affected
FreeBSD, Inc. Affected
Gentoo Linux Affected
Hewlett-Packard Company Affected
Mandriva, Inc. Affected
Oracle Corporation Affected
Red Hat, Inc. Affected
SUSE Linux Affected
Slackware Linux Inc. Affected
Sun Microsystems, Inc. Affected
Trustix Secure Linux Affected
NISCC credits Dr. Stephen N. Henson for reporting this vulnerability. This issue was originally reported in GnuTLS by Patrik Hornik.
This document was written by Chris Taschner.
|Date First Published:||2006-09-28|
|Date Last Updated:||2007-02-09 21:30 UTC|