Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
GnuTLS May Allow Digital Signatures to Be Forged
|
|
SecurityTracker Alert ID: 1016844 |
|
SecurityTracker URL: http://securitytracker.com/id/1016844
|
|
CVE Reference:
CVE-2006-4790
(Links to External Site)
|
Date: Sep 14 2006
|
Impact:
Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.4.4
|
Description:
A vulnerability was reported in GnuTLS. A remote user may be able to forge certain digital signatures.
In certain cases, a remote user may be able to forge a PKCS #1 v1.5 signature for a key.
This can be achieved using a variation of Bleichenbacher's attack, but using the 'digestAlgorithm.parameters' field to store excess data.
This variation was reported Yutaka Oiwa, Kazukuni Kobara, and Hajime Watanabe.
|
Impact:
A remote user may be able to forge signatures (and certificates).
|
Solution:
The vendor has issued a fixed version (1.4.4), available at:
http://www.gnu.org/software/gnutls/download.html
|
Vendor URL: lists.gnupg.org/pipermail/gnutls-dev/2006-September/001205.html (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri Sep 8 17:44:13 CEST 2006
Subject: [gnutls-dev] Variant of Bleichenbacher's crypto 06 rump session attack
|
The GNUTLS-SA-2006-4 security problem (fixed in 1.4.3) is a variant of
Bleichenbacher's latest attack:
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
The difference is that it uses the digestAlgorithm.parameters field to
store "garbage" instead of after the ASN.1 blob. The optional
parameters field is not used for MD5/SHA1, but instead of verifying
that the field is not present, GnuTLS just ignored it. Therefor, it
can be used to store garbage data in.
This problem was reported to us by Yutaka Oiwa, Kazukuni Kobara,
Hajime Watanabe and hopefully their original report with more
background will be available soon.
The patch that fixes this is for lib/x509/verify.c, see below.
This has been installed on the GnuTLS 1.5 branch, but I don't intend
to release 1.5.1 soon. Try the nightly snapshots, or 1.4.3 instead.
/Simon
Update of /cvs/gnutls/gnutls/lib/x509
In directory trithemius:/tmp/cvs-serv3577
Modified Files:
Tag: gnutls_1_4_x
verify.c
Log Message:
Make sure the digestAlgorithm.parameters field is empty, which it has
to be for the hashes we support. Otherwise, the field can encode
"garbage" that might be used to make the signature be a perfect cube,
similar (but not identical) to Bleichenbacher's Crypto 06 rump session
attack.
--- /cvs/gnutls/gnutls/lib/x509/verify.c 2005/11/07 23:28:02 1.52
+++ /cvs/gnutls/gnutls/lib/x509/verify.c 2006/09/08 13:38:55 1.52.2.1
<at> <at> -1,5 +1,5 <at> <at>
/*
- * Copyright (C) 2003, 2004, 2005 Free Software Foundation
+ * Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation
*
* Author: Nikos Mavroyanopoulos
*
<at> <at> -505,6 +505,15 <at> <at>
return GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
}
+ len = sizeof (str) - 1;
+ result = asn1_read_value (dinfo, "digestAlgorithm.parameters", NULL, &len);
+ if (result != ASN1_ELEMENT_NOT_FOUND)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
result = asn1_read_value (dinfo, "digest", digest, digest_size);
if (result != ASN1_SUCCESS)
{
|
|
Go to the Top of This SecurityTracker Archive Page
|
