1 OpenSSL Security Advisory [5th September 2006]
3 RSA Signature Forgery (CVE-2006-4339)
4 =====================================
9 Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
10 signatures. If an RSA key with exponent 3 is used it may be possible
11 to forge a PKCS #1 v1.5 signature signed by that key. Implementations
12 may incorrectly verify the certificate if they are not checking for
13 excess data in the RSA exponentiation result of the signature.
15 Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
16 used in X.509 certificates, all software that uses OpenSSL to verify
17 X.509 certificates is potentially vulnerable, as well as any other use
18 of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
21 OpenSSL versions up to 0.9.7j and 0.9.8b are affected.
23 The Common Vulnerabilities and Exposures project (cve.mitre.org) has
24 assigned the name CAN-2006-4339 to this issue.
29 There are multiple ways to avoid this vulnerability. Any one of the
30 following measures is sufficient.
32 1. Upgrade the OpenSSL server software.
34 The vulnerability is resolved in the following versions of OpenSSL:
36 - in the 0.9.7 branch, version 0.9.7k (or later);
37 - in the 0.9.8 branch, version 0.9.8c (or later).
39 OpenSSL 0.9.8c and OpenSSL 0.9.7k are available for download via
40 HTTP and FTP from the following master locations (you can find the
41 various FTP mirrors under http://www.openssl.org/source/mirror.html):
43 o http://www.openssl.org/source/
44 o ftp://ftp.openssl.org/source/
46 The distribution file names are:
48 o openssl-0.9.8c.tar.gz
49 MD5 checksum: 78454bec556bcb4c45129428a766c886
50 SHA1 checksum: d0798e5c7c4509d96224136198fa44f7f90e001d
52 o openssl-0.9.7k.tar.gz
53 MD5 checksum: be6bba1d67b26eabb48cf1774925416f
54 SHA1 checksum: 90056b8f5e518edc9f74f66784fbdcfd9b784dd2
56 The checksums were calculated using the following commands:
58 openssl md5 openssl-0.9*.tar.gz
59 openssl sha1 openssl-0.9*.tar.gz
61 2. If this version upgrade is not an option at the present time,
62 alternatively the following patch may be applied to the OpenSSL
63 source code to resolve the problem. The patch is compatible with
64 the 0.9.6, 0.9.7, 0.9.8, and 0.9.9 branches of OpenSSL.
66 o http://www.openssl.org/news/patch-CVE-2006-4339.txt
68 Whether you choose to upgrade to a new version or to apply the patch,
69 make sure to recompile any applications statically linked to OpenSSL
76 The OpenSSL team thank Philip Mackenzie, Marius Schilder, Jason Waddle
77 and Ben Laurie, of Google Security, who successfully forged various
78 certificates, showing OpenSSL was vulnerable, and provided the patch
85 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
86 http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
88 URL for this Security Advisory:
89 http://www.openssl.org/news/secadv_20060905.txt