SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL RSA Signatures Can Be Forged
SecurityTracker Alert ID:  1016791
SecurityTracker URL:  http://securitytracker.com/id/1016791
CVE Reference:   CVE-2006-4339   (Links to External Site)
Date:  Sep 5 2006
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.7j and prior versions, 0.9.8 - 0.9.8b
Description:   A vulnerability was reported in OpenSSL. A remote user may be able to forge certain digital signatures.

If an RSA key with exponent 3 is used, a remote user may be able to forge a PKCS #1 v1.5 signature for that key.

Software that uses PKCS #1 v1.5 may be affected. Software that uses OpenSSL to verify X.509 certificates may also be affected.

Daniel Bleichenbacher reported the type of attack that is possible against PKCS #1 v1.5 signatures.

Impact:   A remote user may be able to forge signatures (and certificates).
Solution:   The vendor has released fixed versions (0.9.7k, 0.9.8c). The vendor has issued the following solution options [quoted]:

1. Upgrade the OpenSSL server software.

The vulnerability is resolved in the following versions of OpenSSL:

- in the 0.9.7 branch, version 0.9.7k (or later);
- in the 0.9.8 branch, version 0.9.8c (or later).

OpenSSL 0.9.8c and OpenSSL 0.9.7k are available for download via
HTTP and FTP from the following master locations (you can find the
various FTP mirrors under http://www.openssl.org/source/mirror.html):

o http://www.openssl.org/source/
o ftp://ftp.openssl.org/source/

The distribution file names are:

o openssl-0.9.8c.tar.gz
MD5 checksum: 78454bec556bcb4c45129428a766c886
SHA1 checksum: d0798e5c7c4509d96224136198fa44f7f90e001d

o openssl-0.9.7k.tar.gz
MD5 checksum: be6bba1d67b26eabb48cf1774925416f
SHA1 checksum: 90056b8f5e518edc9f74f66784fbdcfd9b784dd2

The checksums were calculated using the following commands:

openssl md5 openssl-0.9*.tar.gz
openssl sha1 openssl-0.9*.tar.gz

2. If this version upgrade is not an option at the present time,
alternatively the following patch may be applied to the OpenSSL
source code to resolve the problem. The patch is compatible with
the 0.9.7, 0.9.8, and 0.9.9 branches of OpenSSL.

o http://www.openssl.org/news/patch-CVE-2006-4339.txt

Whether you choose to upgrade to a new version or to apply the patch,
make sure to recompile any applications statically linked to OpenSSL
libraries.

The advisory is available at:

http://www.openssl.org/news/secadv_20060905.txt

Vendor URL:  www.openssl.org/news/secadv_20060905.txt (Links to External Site)
Cause:   Authentication error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 7 2006 (FreeBSD Issues Fix) OpenSSL RSA Signatures Can Be Forged   (FreeBSD Security Advisories <security-advisories@freebsd.org>)
FreeBSD has released a fix.
Sep 8 2006 (Red Hat Issues Fix) OpenSSL RSA Signatures Can Be Forged   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, and 4.
Sep 9 2006 (OpenBSD Issues Fix) OpenSSL RSA Signatures Can Be Forged
OpenBSD has issued patches for OpenBSD UNIX 3.8 and 3.9.
Sep 22 2006 (NetBSD Issues Fix) OpenSSL RSA Signatures Can Be Forged   (NetBSD Security-Officer <security-officer@NetBSD.org>)
NetBSD has released a fix.
Oct 3 2006 (Sun Issues Fix for Java) OpenSSL RSA Signatures Can Be Forged
Sun has issued a fix for Sun JDK and JRE 5.0.
Oct 9 2006 (Sun Issues Fix for Sun Secure Global Desktop) OpenSSL RSA Signatures Can Be Forged
Sun has issued a fix for Sun Secure Global Desktop.
Oct 13 2006 (SSH Issues Fix for Tectia Server) OpenSSL RSA Signatures Can Be Forged
SSH has issued a fix for SSH Tectica Server.
Oct 13 2006 (SSH Issues Fix for Tectia Manager) OpenSSL RSA Signatures Can Be Forged
SSH has issued a fix for SSH Tectica Manager.
Oct 26 2006 (Sun Issues Fix for Solaris) OpenSSL RSA Signatures Can Be Forged
Sun has issued a fix for Solaris 10.
Oct 26 2006 (Sun Issues Fix for Java Enterprise System) OpenSSL RSA Signatures Can Be Forged
Sun has issued a fix for Sun Java Enterprise System.
Nov 1 2006 (HP Issues Fix for Virtualvault) OpenSSL RSA Signatures Can Be Forged
HP has issued a fix for Virtualvault 4.5, 4.6, and 4.7 on HP-UX 11.04.
Nov 4 2006 (ISC Issues Fix for BIND) OpenSSL RSA Signatures Can Be Forged
ISC has issued a fix for BIND.
Nov 16 2006 (Sun Issues Fix for JRE/JSEE) OpenSSL RSA Signatures Can Be Forged
Sun has issued a fix for JRE/JSEE.
Nov 29 2006 (Apple Issues Fix) OpenSSL RSA Signatures Can Be Forged   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has released a fix for Mac OS X.
Dec 22 2006 (Solaris Issues Fix for Solaris WAN Boot) OpenSSL RSA Signatures Can Be Forged
Sun has issued a fix for Solaris WAN Boot on Solaris 10.
Feb 7 2007 (Red Hat Issues Fix for Java) OpenSSL RSA Signatures Can Be Forged   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux Extras 3 and 4.
Feb 8 2007 (Red Hat Issues Fix for Java) OpenSSL RSA Signatures Can Be Forged   (bugzilla@redhat.com)
Red Hat has released a fix for Java on Red Hat Enterprise Linux 2.1.
Apr 16 2007 (HP Issues Fix for Tru64 UNIX) OpenSSL RSA Signatures Can Be Forged
HP has issued a fix for HP Tru64 UNIX 5.1B-3 and 5.1B-4 and for HP Insight Management Agents.
May 14 2007 (BEA Issues Fix for WebLogic) OpenSSL RSA Signatures Can Be Forged
BEA has issued a fix for BEA WebLogic, which is affected by this SSL vulnerability.
Aug 6 2007 (HP Issues Fix for HP System Management Homepage) OpenSSL RSA Signatures Can Be Forged
HP has issued a fix for HP System Management Homepage, which is affected by this OpenSSL vulnerability.
May 20 2008 (Red Hat Issues Fix for Red Hat Network Satellite Server) OpenSSL RSA Signatures Can Be Forged   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Network Satellite Server 5.x.
Oct 15 2010 (Sun Issues Fix for StarOffice) OpenSSL RSA Signatures Can Be Forged
Sun has issued a fix for StarOffice.



 Source Message Contents

Date:  Tue, 5 Sep 2006 07:55:27 -0400
Subject:  OpenSSL Security Advisory [5th September 2006]


http://www.openssl.org/news/secadv_20060905.txt

CVE-2006-4339
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC