OpenSSL Hit by Forgery Bug

Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."

Re:Google saves the day...

[tedgyz]

Wonder if Google Desktop search can help me find all the bugs in Windows...

While I'm as quick to fawn over Google, let's give credit to "Daniel Bleichenbacher, a cryptographer with Bell Labs" for finding it.

old news

[noahm]

Wow, that was like almost a month ago. All the major, and most of the minor, OS vendors and Linux distributors have long since announced released fixes. Why's it on slashdot now?

It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest. The FreeBSD security advisory [freebsd.org] has some good info on why. To quote: (emphasis mine)

RSA public keys may use a variety of public exponents, of which 3, 17, and 65537 are most common. As a result of a number of known attacks, most keys generated recently use a public exponent of at least 65537.
...
OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.

So yeah, there may be some vulnerable sites out there, but they were already weaker than they should have been, and most sites are likely unaffected. That, coupled with the simplicity of the fix (both as provided in source form and from the OS vendors) makes this a non-story.

noah

Vendors have Patched As Well

[miller60]

This weakness was first described at the CRYPTO conference in August, and a technical explanation of the exploit [imc.org] was public on Aug. 27, Open SSL issued its advisory and patch [openssl.org] on Sept. 5 and the Netcraft article [netcraft.com] cited by ZDNet has been online since Sept. 7. So while this is a potentially problematic security issue, it's not brand new, has been patched by OpenSSL and quite a few vendors have issued patches as well.

Re:This is old.

[cperciva]

I would hope that all serious users of OpenSSL have already patched this. FreeBSD and Debian were on top of it the same day it was announced.

I don't know about Debian, but FreeBSD didn't issue an advisory until the day after this went public. We have a very strict policy about making sure that security updates won't break anything, and OpenSSL's original patch was broken and not fixed until a day later [openssl.org].

In general you're right, though -- we hear about security issues before they go public and make sure we have advisories and patches ready.

Re:Google saves the day...

[towsonu2003]

I'll also give credit to Debian and Ubuntu, where openssl is already patched and good to go:

==============

openssl (0.9.8a-7ubuntu0.1) dapper-security; urgency=low

* SECURITY UPDATE: signature forgery in some cases.

* Apply http://www.openssl.org/news/patch-CVE-2006-4339.tx t [openssl.org]:

- Check excessive data in padding of PKCS #1 v1.5 signatures to prevent applications from incorrectly verifying the certificate.

* References:

CVE-2006-4339

http://www.openssl.org/news/secadv_20060905.txt [openssl.org]

Re:This is old.

[noahm]

I don't know about Debian, but FreeBSD didn't issue an advisory until the day after this went public. We have a very strict policy about making sure that security updates won't break anything, and OpenSSL's original patch was broken and not fixed until a day later.

It wasn't really per se, but it did contain some unnecessary code. None of it was major, and I don't think it would have caused any problems, but the revised patch, which we in Debian also used, touched fewer files and was generally simpler.

noah

Re:old news

[tqbf]

No, the impact of this problem was wider than what the front page suggests; the same bug hit Firefox (which uses its own "NSS" SSL library, not OpenSSL), and several of the root certificates were e=3 (e=3 is a widely-recommended optimization). Long story short, Firefox, Opera, and Konqueror are all spoofable until you download patches.

The simple exploit (generate a new WELLSFARGO.COM cert and "sign" it in a way that will trick a browser into believing a root CA signed it) is literally 3 lines of Python.

You're also wrong about the crypto details: e=3 RSA is not "weaker" than e=65537. The problem is not that people used "weak" RSA parameters; the problem is that they didn't verify all the bits in an RSA-decoded signature, but instead tried to fish something that looked like a valid SHA/MD5 hash out of it. If you screw up any of the details in RSA signature verification, you're screwed, e=3, e=5, or e=65537. Conversely if you get the details right, e=3 is as secure as factoring.

It is funny that this is just hitting Slashdot now; it's weeks old.

Re:#2 for de Raadt?

[Anonymous Coward]

They patched it almost 3 weeks ago [openbsd.org]