OpenSSL Hit by Forgery Bug 69
Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."
Re:Google saves the day... (Score:5, Informative)
old news (Score:4, Informative)
It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest. The FreeBSD security advisory [freebsd.org] has some good info on why. To quote: (emphasis mine)
So yeah, there may be some vulnerable sites out there, but they were already weaker than they should have been, and most sites are likely unaffected. That, coupled with the simplicity of the fix (both as provided in source form and from the OS vendors) makes this a non-story.
noah
Vendors have Patched As Well (Score:3, Informative)
Re:This is old. (Score:3, Informative)
I don't know about Debian, but FreeBSD didn't issue an advisory until the day after this went public. We have a very strict policy about making sure that security updates won't break anything, and OpenSSL's original patch was broken and not fixed until a day later [openssl.org].
In general you're right, though -- we hear about security issues before they go public and make sure we have advisories and patches ready.
Re:Google saves the day... (Score:2, Informative)
==============
openssl (0.9.8a-7ubuntu0.1) dapper-security; urgency=low
* SECURITY UPDATE: signature forgery in some cases.
* Apply http://www.openssl.org/news/patch-CVE-2006-4339.tx t [openssl.org]:
- Check excessive data in padding of PKCS #1 v1.5 signatures to prevent applications from incorrectly verifying the certificate.
* References:
CVE-2006-4339
http://www.openssl.org/news/secadv_20060905.txt [openssl.org]
Re:This is old. (Score:3, Informative)
It wasn't really per se, but it did contain some unnecessary code. None of it was major, and I don't think it would have caused any problems, but the revised patch, which we in Debian also used, touched fewer files and was generally simpler.
noah
Re:old news (Score:4, Informative)
No, the impact of this problem was wider than what the front page suggests; the same bug hit Firefox (which uses its own "NSS" SSL library, not OpenSSL), and several of the root certificates were e=3 (e=3 is a widely-recommended optimization). Long story short, Firefox, Opera, and Konqueror are all spoofable until you download patches.
The simple exploit (generate a new WELLSFARGO.COM cert and "sign" it in a way that will trick a browser into believing a root CA signed it) is literally 3 lines of Python.
You're also wrong about the crypto details: e=3 RSA is not "weaker" than e=65537. The problem is not that people used "weak" RSA parameters; the problem is that they didn't verify all the bits in an RSA-decoded signature, but instead tried to fish something that looked like a valid SHA/MD5 hash out of it. If you screw up any of the details in RSA signature verification, you're screwed, e=3, e=5, or e=65537. Conversely if you get the details right, e=3 is as secure as factoring.
It is funny that this is just hitting Slashdot now; it's weeks old.
Re:#2 for de Raadt? (Score:1, Informative)