FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

openssl -- Incorrect PKCS#1 v1.5 padding validation in crypto(3)

Affected packages
0.9.8 < openssl < 0.9.8c_9
openssl < 0.9.7k_0
Affected systems
6.1 < FreeBSD < 6.1_6
6.0 < FreeBSD < 6.0_11
5.5 < FreeBSD < 5.5_4
5.4 < FreeBSD < 5.4_18
5.3 < FreeBSD < 5.3_33
FreeBSD < 4.11_21

Details

VuXML ID 077c2dca-8f9a-11db-ab33-000e0c2e438a
Discovery 2006-09-06
Entry 2006-12-19

Problem Description

When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes.

Impact

OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.

Workaround

No workaround is available.

References

CVE Name CVE-2006-4339
FreeBSD Advisory SA-06:19.openssl