OpenSSL signatures can be forged

OpenSSL may fail to detect forged digital signatures under certain conditions due to an error in the implementation, a failure to check a certain condition while verifying the RSA signature. The flaw affects all systems that use the OpenSSL library, and in particular servers secured with SSL/TLS and VPNs based on SSL/TLS. OpenSSL versions 0.9.7k and 0.9.8c have eliminated the vulnerability.

The attack is only good against keys with exponent of 3. There are not too many of these around any more but you still run into them occasionally. It depends on an error in verifying the PKCS-1 padding of the signed hash.

The security notice from the OpenSSL team states that attacks are only possible if a Certificate Authority (CA) uses an RSA key with the Exponent 3 for X.509 certificates. It does not note how one can determine this concretely, however, and the advisory acknowledges that this kind of key is quite common.

An attacker could forge a signature that is admitted as correct, since the OpenSSL implementation does not check whether the RSA signature contains superfluous data. All users should therefore upgrade to the new version. OpenSSL is also releasing patches for versions 0.9.6, 0.9.7, 0.9.8 and 0.9.9 as an alternative.

Leave a Reply