Vulnerability Note VU#845620

Multiple RSA implementations fail to properly handle signatures

Original Release date: 21 Sep 2006 | Last revised: 08 Feb 2007


Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures.


RSA signatures are used to authenticate the source of a message. To prevent RSA signatures from being forged, messages are padded with data to ensure message hashes are adequately sized. One such padding scheme is specified in the Public-Key Cryptography Standard #1 (PKCS-1), which is defined in RFC 3447.

Many RSA implementations may fail to properly verify signatures. Specifically, the verifier may incorrectly parse PKCS-1 padded signatures, ignoring data at the end of a signature. If this data is ignored and a RSA key with a public exponent of three is used, it may be possible to forge the signing key's signature.

Note that any application that uses RSA signatures may be affected by this vulnerability. This includes, but is not limited to, SSH, SSL, PGP, and X.509 applications.

This issue is further discussed on the ietf-openpgp mailing list.


This vulnerability may allow an attacker to forge an RSA signature.


Check with your vendor
See the systems affected section of this document for information about how specific vendors are addressing this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Appgate Network SecurityAffected08 Sep 200613 Sep 2006
Apple Computer, Inc.Affected-08 Jan 2007
AttachmateWRQ, Inc.Affected06 Sep 200620 Oct 2006
Avaya, Inc.Affected08 Sep 200618 Sep 2006
Blue Coat SystemsAffected-08 Jan 2007
Cisco Systems, Inc.Affected08 Sep 200613 Nov 2006
Debian GNU/LinuxAffected08 Sep 200603 Oct 2006
F5 Networks, Inc.Affected06 Sep 200611 Sep 2006
FreeBSD, Inc.Affected08 Sep 200611 Sep 2006
Gentoo LinuxAffected08 Sep 200603 Oct 2006
GnuTLSAffected-20 Sep 2006
Hewlett-Packard CompanyAffected08 Sep 200613 Nov 2006
IAIK Java GroupAffected06 Sep 200620 Oct 2006
IBM CorporationAffected08 Sep 200608 Jan 2007
Internet Software ConsortiumAffected-19 Jan 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was reported by Daniel Bleichenbacher.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CVE-2006-4339
  • Date Public: 05 Sep 2006
  • Date First Published: 21 Sep 2006
  • Date Last Updated: 08 Feb 2007
  • Severity Metric: 7.56
  • Document Revision: 95


If you have feedback, comments, or additional information about this vulnerability, please send us email.