OpenSSL Security Advisory [5th September 2006]

[Vin DSL]

RSA Signature Forgery (CVE-2006-4339)
=====================================

Vulnerability
-------------

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.

Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.

OpenSSL versions up to 0.9.7j and 0.9.8b are affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2006-4339 to this issue.

Recommendations
---------------

There are multiple ways to avoid this vulnerability. Any one of the
following measures is sufficient.

1. Upgrade the OpenSSL server software.

The vulnerability is resolved in the following versions of OpenSSL:

- in the 0.9.7 branch, version 0.9.7k (or later);
- in the 0.9.8 branch, version 0.9.8c (or later).

OpenSSL 0.9.8c and OpenSSL 0.9.7k are available for download via
HTTP and FTP from the following master locations (you can find the
various FTP mirrors under http://www.openssl.org/source/mirror.html):

o http://www.openssl.org/source/
o ftp://ftp.openssl.org/source/

The distribution file names are:

o openssl-0.9.8c.tar.gz
MD5 checksum: 78454bec556bcb4c45129428a766c886
SHA1 checksum: d0798e5c7c4509d96224136198fa44f7f90e001d

o openssl-0.9.7k.tar.gz
MD5 checksum: be6bba1d67b26eabb48cf1774925416f
SHA1 checksum: 90056b8f5e518edc9f74f66784fbdcfd9b784dd2

The checksums were calculated using the following commands:

openssl md5 openssl-0.9*.tar.gz
openssl sha1 openssl-0.9*.tar.gz

2. If this version upgrade is not an option at the present time,
alternatively the following patch may be applied to the OpenSSL
source code to resolve the problem. The patch is compatible with
the 0.9.6, 0.9.7, 0.9.8, and 0.9.9 branches of OpenSSL.

o http://www.openssl.org/news/patch-CVE-2006-4339.txt

Whether you choose to upgrade to a new version or to apply the patch,
make sure to recompile any applications statically linked to OpenSSL
libraries.


Acknowledgements
----------------

The OpenSSL team thank Philip Mackenzie, Marius Schilder, Jason Waddle
and Ben Laurie, of Google Security, who successfully forged various
certificates, showing OpenSSL was vulnerable, and provided the patch
to fix the problems.


References
----------

http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-4339
http://www.imc.org/ietf-openpgp/mail.../msg14307.html

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20060905.txt

[Vin DSL]

Security researchers have demonstrated a way to forge digital signatures that can fool the OpenSSL software used in many secure web servers and virtual private networks (VPN). The OpenSSL Project has issued patches to address the weakness, and is urging users to upgrade or install the patches.

The signature forgery technique was first demonstrated by Daniel Bleichenbacher, a cryptographer at Bell Labs, at the CRYPTO 2006 conference last month. While the forgery only works on specific keys (known as PKCS #1 v1.), these keys are used by some certificate authorities in SSL server certificates.

"All software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5," OpenSSL said in its advisory. "This includes software that uses OpenSSL for SSL or TLS." OpenSSL versions up to 0.9.7j and 0.9.8b are affected.

OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and is used in security products from numerous vendors.