CERT/CC Vulnerability Note VU#423396

Overview

Some applications that perform X.509 certificate verification may be vulnerable to signature processing problems that lead to resource exhaustion. This vulnerability may cause a denial of service.

Description

Included in X.509 certificates are public keys used for digital signature verification. Choosing very large values for the public exponent and public modulus associated with an RSA public key may cause the verification of that key to require large amounts of system resources. According to NISCC:

...by choosing much larger values for [the public exponent and the public modulus], it may be possible to cause the verification process to consume large amounts of system resources and hence result in a denial-of-service condition.
This vulnerability can be triggered by sending a message signed using specially crafted RSA keys to affected products. A number of different products that verify RSA signatures may be vulnerable to this issue. Please see the Systems Affected section of this document for specific product information.

Impact

A remote, unauthenticated attacker could consume large amounts of system resources on an affected device, thereby creating a denial of service.

Solution

Upgrade or apply a patch from the vendor
Patches have been released to address this issue. See the systems affected section of this document for information about specific vendors.

Vendor Information

423396

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Apple Computer, Inc. Affected

Updated: December 04, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Apple Security Update 2006-007.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya, Inc. Affected

Updated: November 10, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Avaya Security Alert ASA-2006-220.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc. Affected

Updated: November 13, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Cisco Security Response 20061108-openssl.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian GNU/Linux Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.debian.org/security/2006/dsa-1185

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD, Inc. Affected

Updated: September 28, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See The FreeBSD Project Security Advisory http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated: January 19, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to glsa-200612-11.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GnuTLS Affected

Updated: September 28, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See GnuTLS Security advisory 20040802, http://www.hornik.sk/SA/SA-20040802.txt

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Affected

Updated: January 19, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to HPSBUX02174.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.mandriva.com/security/advisories?name=MDKSA-2006:172

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Affected

Updated: October 23, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to OpenBSD SECURITY FIX 013.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSL Affected

Updated: September 28, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See OpenSSL Security Advisory 20060928 http://www.openssl.org/news/secadv_20060928.txt

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation Affected

Updated: January 17, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc. Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to https://rhn.redhat.com/errata/RHSA-2006-0695.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://support.novell.com/techcenter/psdb/16e2a93b390a1ceb86b0945a88a4d415.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc. Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc. Affected

Updated: November 10, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Sun Alert 102668.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.trustix.org/errata/2006/0054/

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu Affected

Updated: September 28, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Ubuntu Security Notice USN-353-1 http://www.ubuntu.com/usn/usn-353-1.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware Affected

Updated: January 19, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to document 9986131.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

rPath Affected

Updated: October 06, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://issues.rpath.com/browse/RPL-613

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 21 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

NISCC credits Dr. Stephen N. Henson for reporting this vulnerability. This issue was originally reported in GnuTLS by Patrik Hornik.

This document was written by Chris Taschner.

Other Information

CVE IDs:	CVE-2006-2940
Severity Metric:	7.92
Date Public:	2004-08-02
Date First Published:	2006-09-28
Date Last Updated:	2007-02-09 21:30 UTC
Document Revision:	63

Software Engineering Institute

CERT Coordination Center

X.509 certificate verification may be vulnerable to resource exhaustion

Vulnerability Note VU#423396

Overview

Description

Impact

Solution

Vendor Information

Apple Computer, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Avaya, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Cisco Systems, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Debian GNU/Linux Affected

Status

Vendor Statement

Vendor Information

Addendum

FreeBSD, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Gentoo Linux Affected

Status

Vendor Statement

Vendor Information

Addendum

GnuTLS Affected

Status

Vendor Statement

Vendor Information

Addendum

Hewlett-Packard Company Affected

Status

Vendor Statement

Vendor Information

Addendum

Mandriva, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

OpenBSD Affected

Status

Vendor Statement

Vendor Information

Addendum

OpenPKG Affected

Status

Vendor Statement

Vendor Information

Addendum

OpenSSL Affected

Status

Vendor Statement

Vendor Information

Addendum

Oracle Corporation Affected

Status

Vendor Statement

Vendor Information

Addendum

Red Hat, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

SUSE Linux Affected