(SSH Issues Fix for Tectia Server) OpenSSL RSA Signatures Can Be Forged
|
|
SecurityTracker Alert ID: 1017060 |
|
SecurityTracker URL: http://securitytracker.com/id/1017060
|
|
CVE Reference:
CVE-2006-4339
(Links to External Site)
|
Date: Oct 13 2006
|
Impact:
Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in OpenSSL. A remote user may be able to forge certain digital signatures. SSH Tectica Server is also affected.
If an RSA key with exponent 3 is used, a remote user may be able to forge a PKCS #1 v1.5 signature for that key.
Software that uses PKCS #1 v1.5 may be affected. Software that uses OpenSSL to verify X.509 certificates may also be affected.
Daniel Bleichenbacher reported the type of attack that is possible against PKCS #1 v1.5 signatures.
|
Impact:
A remote user may be able to forge signatures (and certificates).
|
Solution:
SSH has issued the following fixes for SSH Tectica Server, available at:
http://www.ssh.com/support/downloads/
SSH Tectia Server/Client 5.1.1
SSH Tectia Server/Client/Connector 5.0.3
SSH Tectia Server/Client/Connector 4.4.7
SSH Tectia Client 4.3.10K
SSH Tectia Client 4.3.3J
SSH Tectia Server for IBM z/OS 5.1.1
SSH Tectia Server for IBM z/OS 5.2.1
The vendor notes that environments where all keys are created with SSH Tectia are not vulnerable.
The SSH advisory is available at:
http://www.ssh.com/company/news/article/786/
|
Vendor URL: www.ssh.com/company/news/article/786/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), z/OS
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 13 Oct 2006 07:19:00 -0400
Subject: RSA Signature Forgery Vulnerability in SSH Tectia
|
http://www.ssh.com/company/news/article/786/
CVE-2006-4339
|
|
