PT-2006-1000 · Openssl+3 · Openssl+3

Ben Laurie

Publicado

2006-09-05

Atualizado

2024-06-15

CVE-2006-4339

CVSS v2.0

4.3

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions: OpenSSL versions 0.9.7 through 0.9.7j OpenSSL versions 0.9.8 through 0.9.8b

Description: The issue allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by an RSA key with exponent 3, preventing OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. This could lead to unauthorized access to certificate-protected resources. The vulnerability affects PKCS #1 v1.5 signatures if the exponent of the public key is 3, which is widely used by Certificate Authorities. An attacker will likely exploit this vulnerability to forge signatures without the secret key.

Recommendations: For OpenSSL versions 0.9.7 through 0.9.7j, update to version 0.9.7k or later. For OpenSSL versions 0.9.8 through 0.9.8b, update to version 0.9.8c or later. As a temporary workaround, consider restricting the use of RSA keys with exponent 3 until a patch is available.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-310

Identificadores relacionados

BDU:2015-01376

BDU:2015-09530

BDU:2015-09531

CVE-2006-4339

DSA-1173-1

DSA-1174-1

HPSBUX02153

HPSBUX02165

HPSBUX02219

OPENSUSE-SU-2024:10650-1

OPENSUSE-SU-2024:11125-1

OPENSUSE-SU-2024:11126-1

OPENSUSE-SU-2024:11127-1

OPENSUSE-SU-2024:11128-1

RHSA-2006:0661

RHSA-2006_0661

RHSA-2007:0062

RHSA-2007:0072

RHSA-2007:0073

RHSA-2008:0264

RHSA-2008:0525

RHSA-2008:0629

SUSE-FU-2022:0445-1

Produtos afetados

Cisco Wls

Hp-Ux

Openssl

Red Hat

PT-2006-1000 · Openssl+3 · Openssl+3

CVE-2006-4339

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 532