{"vuid":"VU#845620","idnumber":"845620","name":"Multiple RSA implementations fail to properly handle signatures","keywords":["Mozilla","NSS","crypto library","RSA signatures","apple-2006-007","oracle_cpu_jan_2007","OHS06"],"overview":"Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures.","clean_desc":"RSA signatures are used to authenticate the source of a message. To prevent RSA signatures from being forged, messages are padded with data to ensure message hashes are adequately sized. One such padding scheme is specified in the Public-Key Cryptography Standard #1 (PKCS-1), which is defined in RFC 3447. Many RSA implementations may fail to properly verify signatures. Specifically, the verifier may incorrectly parse PKCS-1 padded signatures, ignoring data at the end of a signature. If this data is ignored and a RSA key with a public exponent of three is used, it may be possible to forge the signing key's signature. Note that any application that uses RSA signatures may be affected by this vulnerability. This includes, but is not limited to, SSH, SSL, PGP, and X.509 applications. This issue is further discussed on the ietf-openpgp mailing list.","impact":"This vulnerability may allow an attacker to forge an RSA signature.","resolution":"Check with your vendor\nSee the systems affected section of this document for information about how specific vendors are addressing this vulnerability.","workarounds":"","sysaffected":"","thanks":"This vulnerability was reported by \nDaniel Bleichenbacher.","author":"This document was written by Jeff Gennari.","public":["http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html","http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/","http://www.openssl.org/news/secadv_20060905.txt","http://secunia.com/advisories/21709/","http://www.rsasecurity.com/rsalabs/node.asp?id=2125","http://www.ietf.org/rfc/rfc3447.txt","http://www.securityfocus.com/bid/22083"],"cveids":["CVE-2006-4339"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-09-05T18:37:21Z","publicdate":"2006-09-05T00:00:00Z","datefirstpublished":"2006-09-11T11:35:28Z","dateupdated":"2007-02-08T15:09:44Z","revision":104,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"13","cam_population":"15","cam_impact":"8","cam_easeofexploitation":"6","cam_attackeraccessrequired":"20","cam_scorecurrent":"7.56","cam_scorecurrentwidelyknown":"8.91","cam_scorecurrentwidelyknownexploited":"14.31","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":7.56,"vulnote":null}