Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(ISC Issues Fix for BIND) OpenSSL RSA Signatures Can Be Forged
|
|
SecurityTracker Alert ID: 1017159 |
|
SecurityTracker URL: http://securitytracker.com/id/1017159
|
|
CVE Reference:
CVE-2006-4339
(Links to External Site)
|
Date: Nov 4 2006
|
Impact:
Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 9.x
|
Description:
A vulnerability was reported in OpenSSL. A remote user may be able to forge certain digital signatures. BIND is affected.
If an RSA key with exponent 3 is used, a remote user may be able to forge a PKCS #1 v1.5 signature for that key.
Software that uses PKCS #1 v1.5 may be affected. Software that uses OpenSSL to verify X.509 certificates may also be affected.
Daniel Bleichenbacher reported the type of attack that is possible against PKCS #1 v1.5 signatures.
|
Impact:
A remote user may be able to forge signatures (and certificates).
|
Solution:
BIND is affected by this OpenSSL vulnerabilities (OpenSSL is required to use DNSSEC with BIND and had been included in earlier versions the BIND distribution).
The vendor has issued the following fixed versions: BIND 9.2.6-P2, BIND 9.3.2-P2, BIND 9.2.7rc3, BIND 9.3.3rc3, and BIND 9.4.0b3.
Upgrade and then generate new RSASHA1 and RSAMD5 keys for all old keys that were using the old default exponent and perform a key rollover to the new keys.
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sat, 4 Nov 2006 00:33:47 -0500
Subject: BIND
|
From NISCC:
Title
=====
Internet Systems Consortium Security Advisory: BIND 9: OpenSSL Vulnerabilities.
Detail
======
Because of OpenSSL's recently announced vulnerabilities
(CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
we are announcing this workaround and releasing patches. A proof of
concept attack on OpenSSL has been demonstrated for CAN-2006-4339.
OpenSSL is required to use DNSSEC with BIND. ISC had included
the OpenSSL library in the BIND distribution, and in more recent
versions, the OpenSSL library was required, but no longer a part
of the distribution.
Internet Systems Consortium Security Advisory.
BIND 9: OpenSSL Vulnerabilities.
31 October 2006
Versions affected:
BIND 9.0.x (all versions of BIND 9.0)
BIND 9.1.x (all versions of BIND 9.1)
BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.6-P1,
9.2.7b1, 9.2.7rc1 and 9.2.7rc2
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.2-P1, 9.3.3b1, 9.3.3rc1 and 9.3.3rc2
BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1
and 9.4.0b2
Severity: Moderate (see below)
Exploitable: Remotely
Description:
Because of OpenSSL's recently announced vulnerabilities
(CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
we are announcing this workaround and releasing patches. A proof of
concept attack on OpenSSL has been demonstrated for CAN-2006-4339.
OpenSSL is required to use DNSSEC with BIND. ISC had included
the OpenSSL library in the BIND distribution, and in more recent
versions, the OpenSSL library was required, but no longer a part
of the distribution.
Workaround:
Recompile named with a known good version of OpenSSL.
OpenSSL 0.9.8d and 0.9.7l or greater are known to be good
versions.
For both KEY and DNSKEY resource record types, Generate
RSASHA1 and RSAMD5 keys using the -e option to dnssec-keygen
if the current keys were generated using the default exponent
of 3. You can determine if a key is vulnerable by looking
at the algorithm (1 or 5) and the first three characters
of the base64 encoded RSA key.
RSASHA1 (5) and RSAMD5 (1) keys that start with AQM, AQN, AQO
or AQP are vulnerable.
For example, this RSASHA1 (5) key is vulnerable and needs to be
replaced as the base64 encoded RSA key starts with AQP.
DNSKEY 256 3 5 ( AQPGP80zt8pQS5xVaaaD054XBet8sCKaYZ9WrnYyuznqNX
kS91j6qqHuw7Y9kKAVsFoWfNw0CpahdIJIhUPFM1JRJtXh
Ny1cg9Ok3kBnN+fwCe2LY3qOtweFbL9bSjgolQWr42AlFO
jZnJVW1cECgVBfinKHBIEIIwIdHGGuLyIQaQ== )
Note: the use of RSAMD5 (1) is no longer recommended.
Once you have generated new keys, use the key rollover
process of your choice to put them into production. We
expect your normal (non-emergency) processes to be adequate,
however, you should do your own risk analysis against the
costs of exploitation of weak keys and proceed accordingly.
Fix:
Upgrade to BIND 9.2.6-P2, BIND 9.3.2-P2, BIND 9.2.7rc3,
BIND 9.3.3rc3 or BIND 9.4.0b3 then generate new RSASHA1 and
RSAMD5 keys for all old keys using the old default exponent
and perform a key rollover to these new keys. See above
for how to determine if you are using the old default exponent.
These new versions of named check that the OpenSSL version meet
the mininum revision levels at configure time -- for Windows,
compile time.
These versions also change the default RSA exponent to be
65537 which is not vulnerable to the attacks described in
CAN-2006-4339.
Revision History:
20061102: Corrected fixed version number from BIND 9.2.3-P2
to BIND 9.3.2-P2.
|
|
Go to the Top of This SecurityTracker Archive Page
|
