Security Advisories
Security Vulnerability with OpenSSL: RSA Signature Forgery (CVE-2006-4339)
Date:
Reported by the OpenSSL Security Update Bulletin on 9/7/06
Severity: Medium
Description:
If an RSA key with exponent 3 is used it may be possible to forge a PKCS #1 v1.5 signature signed by that key. Implementations may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature. Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is used in X.509 certificates, all software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or TLS.
Fixed in:
SG 3.2.7.8 PR, SG 4.1.4.12 PR, SG 4.2.2.10 PR and SG 5.1.3.x
Additional Information:
http://www.ciac.org/ciac/bulletins/q-304.shtml &
http://www.openssl.org/news/patch-CVE-2006-4339.txt
For more information, please contact the Blue Coat Technical Support Department.
.gif){kind=small}