Overview
Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures.
Description
RSA signatures are used to authenticate the source of a message. To prevent RSA signatures from being forged, messages are padded with data to ensure message hashes are adequately sized. One such padding scheme is specified in the Public-Key Cryptography Standard #1 (PKCS-1), which is defined in RFC 3447. Many RSA implementations may fail to properly verify signatures. Specifically, the verifier may incorrectly parse PKCS-1 padded signatures, ignoring data at the end of a signature. If this data is ignored and a RSA key with a public exponent of three is used, it may be possible to forge the signing key's signature. |
Impact
This vulnerability may allow an attacker to forge an RSA signature. |
Solution
Check with your vendor |
Vendor Information
Appgate Network Security Affected
Notified: September 08, 2006 Updated: September 13, 2006
Status
Affected
Vendor Statement
AppGate version 7.1.5 and earlier are vulnerable if x509 authentication is used. It is theoretically possible to forge a certificate and thus gain access to the system. A patch will be available from the AppGate support pages.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Computer, Inc. Affected
Updated: January 08, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to Apple Security Update 2006-007.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
AttachmateWRQ, Inc. Affected
Notified: September 06, 2006 Updated: October 20, 2006
Status
Affected
Vendor Statement
Attachmate has determined that Reflection for the Web is not vulnerable to CERT issue VU#845620.
Attachmate has determined that certain clients in the Reflection product line are vulnerable to CERT issue VU#845620. Attachmate is making patches available. For more information, see Attachmate’s support website at http://support.wrq.com/techdocs/2137.html.
Attachmate is still investigating whether the Reflection for Secure IT products (RSIT Server for Windows and RSIT Client and Server for UNIX) are vulnerable to CERT issue VU#845620. Please check the support web site below for the latest information.
Attachmate advises that interested parties regularly check Attachmate’s support websites for updates on security related issues:
http://support.wrq.com/techdocs/1708.html for Reflection products
http://support.wrq.com/techdocs/1704.html for Reflection for the Web
http://support.wrq.com/techdocs/1910.html for Reflection for Secure IT products
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Avaya, Inc. Affected
Notified: September 08, 2006 Updated: September 18, 2006
Status
Affected
Vendor Statement
Avaya is vulnerable to this issue, and our public response is located on the web at
http://support.avaya.com/elmodocs2/security/ASA-2006-188.htm
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Blue Coat Systems Affected
Updated: January 08, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.bluecoat.com/support/knowledge/openSSL_RSA_Signature_forgery.html.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cisco Systems, Inc. Affected
Notified: September 08, 2006 Updated: November 13, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian GNU/Linux Affected
Notified: September 08, 2006 Updated: October 03, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.debian.org/security/2006/dsa-1182
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks, Inc. Affected
Notified: September 06, 2006 Updated: September 11, 2006
Status
Affected
Vendor Statement
F5 products BIG-IP (4.x and 9.x), FirePass, and WANjet are vulnerable. Patches are being made available.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD, Inc. Affected
Notified: September 08, 2006 Updated: September 11, 2006
Status
Affected
Vendor Statement
All FreeBSD releases prior to FreeBSD 6.2 are affected by this issue. Patches have been released and FreeBSD Security Advisory FreeBSD-SA-06:19.openssl has been issued concerning the problem.
http://security.freebsd.org/advisories/FreeBSD-SA-06:19.openssl.asc
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Gentoo Linux Affected
Notified: September 08, 2006 Updated: October 03, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.gentoo.org/security/en/glsa/glsa-200609-15.xml
If you have feedback, comments, or additional information about this vulnerability, please send us email.
GnuTLS Affected
Updated: September 20, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001205.html
An updated patch is available at http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001212.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Affected
Notified: September 08, 2006 Updated: November 13, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IAIK Java Group Affected
Notified: September 06, 2006 Updated: October 20, 2006
Status
Affected
Vendor Statement
Current versions of IAIK-JCE (3.142) and IAIK-JCE ME (3.04) are not vulnerable. IAIK-JCE versions 3.14 and earlier and IAIK-JCE ME versions 3.03 and earlier are vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation Affected
Notified: September 08, 2006 Updated: January 08, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to IBM Security Annoucement 3117.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Internet Software Consortium Affected
Updated: January 19, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to 200611030511.kA35BviX044435.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Intoto Affected
Notified: September 08, 2006 Updated: September 21, 2006
Status
Affected
Vendor Statement
Intoto engineering team has analyzed the PKCS-1 signature padding vulnerability documented in this CERT vulnerability note, and found that its VPN and SSLVPN products are affected. Patch is available for fixing this potential vulnerability in Intoto products. Please contact Intoto at support@intoto.com to get the patch.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Juniper Networks, Inc. Affected
Notified: September 08, 2006 Updated: January 08, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to PSN-2006-10-002.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva, Inc. Affected
Notified: September 08, 2006 Updated: October 03, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.mandriva.com/security/advisories?name=MDKSA-2006:166
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mozilla, Inc. Affected
Updated: September 19, 2006
Status
Affected
Vendor Statement
Mozilla has fixed the RSA vulnerability described in VU#845620 and has released an advisory covering several affected products (http://www.mozilla.org/security/announce/2006/mfsa2006-60.html).
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenPKG Affected
Updated: November 13, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.029-bind.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenSSL Affected
Updated: September 06, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.openssl.org/news/secadv_20060905.txt.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Affected
Notified: September 08, 2006 Updated: September 11, 2006
Status
Affected
Vendor Statement
We have applied a fix for this issue to the OpenSSL package in Owl-current as of 2006/09/06 and Owl 2.0-stable as of 2006/09/09.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Opera Affected
Notified: September 19, 2006 Updated: September 21, 2006
Status
Affected
Vendor Statement
Refer to http://www.opera.com/support/search/supsearch.dml?index=845.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Oracle Corporation Affected
Updated: January 17, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
RSA Security, Inc. Affected
Notified: September 06, 2006 Updated: January 08, 2007
Status
Affected
Vendor Statement
RSA BSAFE SSL-C software has been examined and confirmed to be susceptible to this vulnerability; customers should upgrade to RSA BSAFE SSL-C 2.7.1 which includes remediation for this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Red Hat, Inc. Affected
Notified: September 08, 2006 Updated: October 03, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to https://rhn.redhat.com/errata/RHSA-2006-0680.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SSH Communications Security Corp Affected
Notified: September 08, 2006 Updated: November 13, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.ssh.com/documents/33/SSH_Tectia_Server_5.1.1_releasenotes.txt, http://www.ssh.com/documents/33/SSH_Tectia_Manager_2.2.1_releasenotes.txt, http://www.ssh.com/documents/33/SSH_Tectia_Server_zOS_5.2.1_releasenotes.txt, and http://www.ssh.com/documents/33/SSH_Tectia_Client_5.1.1_releasenotes.txt
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SUSE Linux Affected
Notified: September 08, 2006 Updated: September 29, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://www.novell.com/linux/security/advisories/2006_55_ssl.html.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Slackware Linux Inc. Affected
Notified: September 08, 2006 Updated: November 13, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to http://slackware.com/changelog/i386/ChangeLog-stable.txt
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems, Inc. Affected
Notified: September 06, 2006 Updated: October 04, 2006
Status
Affected
Vendor Statement
Refer to http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1&searchclaus
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sybase Affected
Updated: January 08, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to Sybase Alert 1047991.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ubuntu Affected
Notified: September 08, 2006 Updated: September 25, 2006
Status
Affected
Vendor Statement
In Ubuntu, three RSA implementations are affected:
- OpenSSL, which we fixed in http://www.ubuntu.com/usn/usn-339-1
- GnuTLS, which we fixed in http://www.ubuntu.com/usn/usn-348-1
- libnss3 from the Mozilla products;
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
VMware Affected
Updated: January 19, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
VMware has published advisories 9986131, 3069097, 254-200612, 253-200612, 213-200612, and 202-200612 in response to this issue. Please refer to those advisories for additional details.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
VanDyke Software Affected
Notified: September 08, 2006 Updated: January 22, 2007
Status
Affected
Vendor Statement
The following VanDyke Software products are affected by VU#845620:
- SecureCRT version 5.2.1 and earlier
- SecureFX version 4.0.1 and earlier
- VShell version 2.6.2 and earlier for Windows, RedHat
Linux, HP-UX, AIX, and Solaris.
Product updates which address this vulnerability are
available. For more information, please visit:
http://www.vandyke.com/support/advisory/2007/01/845620.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
rPath Affected
Updated: October 04, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to https://issues.rpath.com/browse/RPL-640.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Crypto++ Library Not Affected
Notified: September 06, 2006 Updated: September 07, 2006
Status
Not Affected
Vendor Statement
Crypto++ is not vulnerable to this attack. You can add this as a vendor statement for VU#845620.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
F-Secure Corporation Not Affected
Notified: September 08, 2006 Updated: October 04, 2006
Status
Not Affected
Vendor Statement
F-Secure antivirus products are not vulnerable. The list of non-vulnerable products includes F-Secure Anti-Virus, F-Secure Internet Security, F-Secure Client Security, F-Secure Server Security, F-Secure Mobile Security, F-Secure Messaging Security Gateway, F-Secure Network Control, and all other products in F-Secure small business and corporate suites, also listed at http://www.f-secure.com/enterprises/products/.
F-Secure VPN+ versions up to version 6.12 are vulnerable in installations that use PKI CA issued certificates, which use third-party generated keys. The RSA key generator in F-Secure products has never allowed the generation of RSA keys with a public exponent of 3. This means that keys created with F-Secure tools cannot be used to mount an attack against F-Secure products or other systems.
The F-Secure SSH product line is exclusively distributed by Attachmate under the Reflection for Secure IT brand. Please see the vendor statement from Attachmate for more information.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Global Technology Associates Not Affected
Notified: September 08, 2006 Updated: September 18, 2006
Status
Not Affected
Vendor Statement
Global Technology Associates, Inc. has examined this issue and is pleased to report this issue does not impact any versions (current and past) of the GTA firewall products.
To report potential security vulnerabilities in GTA products, send an E-mail message to: security-alert@gta.com.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Lotus Software Not Affected
Notified: September 06, 2006 Updated: October 04, 2006
Status
Not Affected
Vendor Statement
IBM Lotus software products are not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
PGP Corporation Not Affected
Notified: September 12, 2006 Updated: September 13, 2006
Status
Not Affected
Vendor Statement
PGP Corporation's products are not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
PuTTY Not Affected
Notified: September 08, 2006 Updated: September 11, 2006
Status
Not Affected
Vendor Statement
I do not believe that any program in the PuTTY suite is, or has ever been, vulnerable to this attack.
The RSA verification code is in the function rsa2_verifysig() in our source file sshrsa.c, and a quick inspection shows clearly that it rigorously enforces that the ASN.1 data and hash value must be at the very bottom of the PKCS#1 padded integer.
For good measure, our RSA key generator does not, and has never, generated keys with an exponent of 3. (This has nothing to do with whether we're vulnerable to the attack itself, of course, but it does mean we are also not generating keys which can be abused to mount the attack against other systems.)
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
nCipher Corporation Ltd. Not Affected
Notified: September 26, 2006 Updated: September 28, 2006
Status
Not Affected
Vendor Statement
...we can confirm that none of nCipher's hardware security modules are vulnerable to this attack.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
3com, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
AT&T Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Alcatel Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
America Online, Inc. Unknown
Notified: September 07, 2006 Updated: September 07, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apache HTTP Server Project Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apache-SSL Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Computer, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Aruba Networks, Inc. Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Avici Systems, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Bitvise Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Borderware Technologies Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Certicom Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Charlotte's Web Networks Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Check Point Software Technologies Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Chiaro Networks, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Clavister Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Computer Associates Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Covalent Technologies Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Cray Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Cryptlib Unknown
Notified: September 06, 2006 Updated: September 18, 2006
Status
Unknown
Vendor Statement
Although cryptlib shouldn't be vulnerable to the original Bleichenbacher attack, there is ongoing discussion about further attacks that affect any RSA keys with e=3. Because the security community currently doesn't know how serious the problem is, cryptlib users should disable the use of any RSA keys with e=3 by changing the check 'if( BN_get_word( e ) < 3 )' in initCheckRSAkey() in context/kg_rsa.c to 'if( BN_get_word( e ) < 17 )'. Note that this will disable the use of a small number of existing keys that use e=3 (although cryptlib itself will never generate or use private keys with this
value), but until the exact nature of the problem is fully understood this is the only safe fix.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
D-Link Systems, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Data Connection, Ltd. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
EMC, Inc. (formerly Data General Corporation) Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ericsson Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Extreme Networks Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fedora Project Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
FiSSH Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Force10 Networks, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fortinet, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Foundry Networks, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
FreSSH Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fujitsu Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hitachi Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hyperchip Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM eServer Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IP Filter Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Immunix Communications, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Intel Corporation Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
InterPeak Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
InterSoft International Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Internet Security Systems, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Linksys (A division of Cisco Systems) Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Lucent Technologies Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Luminous Networks Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MacSSH Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mirapoint, Inc. Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Multinet (owned Process Software Corporation) Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Multitech, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NEC Corporation Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NetBSD Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NetComposite Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Network Appliance, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NextHop Technologies, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Nokia Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Nortel Networks, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Unknown
Notified: September 07, 2006 Updated: September 07, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OpenBSD Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OpenSSH Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Pragma Systems Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
QNX, Software Systems, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Redback Networks, Inc. Unknown
Notified: September 08, 2006 Updated: October 03, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Riverstone Networks, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Secure Computing Enterprise Security Division Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Secure Computing Network Security Division Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Secureworx, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Spyrus Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Stunnel Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Symantec, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group (SCO Unix) Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Trustix Secure Linux Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Turbolinux Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Unisys Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Verisign Unknown
Notified: September 11, 2006 Updated: September 11, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Watchguard Technologies, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
WeOnlyDo! Software Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
WinSCP Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
ZyXEL Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
eSoft, Inc. Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
lsh Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
mod_ssl Unknown
Notified: September 06, 2006 Updated: September 06, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
netfilter Unknown
Notified: September 08, 2006 Updated: September 08, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
- http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/
- http://www.openssl.org/news/secadv_20060905.txt
- http://secunia.com/advisories/21709/
- http://www.rsasecurity.com/rsalabs/node.asp?id=2125
- http://www.ietf.org/rfc/rfc3447.txt
- http://www.securityfocus.com/bid/22083
Acknowledgements
This vulnerability was reported by Daniel Bleichenbacher.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2006-4339 |
| Severity Metric: | 7.56 |
| Date Public: | 2006-09-05 |
| Date First Published: | 2006-09-11 |
| Date Last Updated: | 2007-02-08 15:09 UTC |
| Document Revision: | 104 |