Sjaeckel

**Name of the Vulnerable Software and Affected Versions** LibTomCrypt versions prior to 2.2.0 OP-TEE versions prior to 2.2.0 **Description** The issue arises from the rsa verify hash ex function in rsa verify hash.c, which fails to validate that the message length matches the ASN.1 encoded data length. This oversight enables remote attackers to forge RSA signatures or public certificates by exploiting a Bleichenbacher signature forgery attack. **Recommendations** For LibTomCrypt versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. For OP-TEE versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the rsa verify hash ex function until a patch is available.