SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   RSA BSAFE Crypto-C Vendors:   EMC, RSA
RSA BSAFE Crypto-C Micro Edition 'ServerKeyExchange' Flaw Lets Remote Users Obtain Private Keys on the Target System
SecurityTracker Alert ID:  1035515
SecurityTracker URL:  http://securitytracker.com/id/1035515
CVE Reference:   CVE-2016-0887   (Links to External Site)
Date:  Apr 12 2016
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.x; 4.1.x prior to 4.1.3
Description:   A vulnerability was reported in RSA BSAFE Crypto-C Micro Edition. A remote user can obtain a private key on the target system.

A remote user can use specially crafted Chinese Remainder Theorem (CRT) private values and then attempt to establish a TLS connection to a target server that implements the 'ServerKeyExchange' handshake message, negotiate Perfect Forward Secrecy with the target server, and monitor the ServerKeyExchange message failure message to recover the RSA private key data.

The vulnerability is due to an undetected error that may occur during a PKCS #1 v1.5 RSA signature operation using CRT private values.

The side channel attack method is referred to as "Lenstra's Attack".

RSA BSAFE Micro Edition Suite (MES) and RSA BSAFE SSL-C are also affected.

Impact:   A remote user can obtain private keys on the target system.
Solution:   The vendor has issued a fix (4.1.3; Advisory ESA-2016-013).

[Editor's note: The vendor recommends that all RSA BSAFE SSL-C customers upgrade to RSA BSAFE Micro Edition Suite (MES) due to Extended Support status.]

Vendor URL:  www.emc.com/ (Links to External Site)
Cause:   Exception handling error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC