Slashdot Mirror
OpenSSL Hit by Forgery Bug
Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."
Way to be about 2 weeks behind the news, slashdot.
"No matter where you go, there you are." -- Buckaroo Banzai
more like,
all your certs are belong to me
ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique.
Who knew that OpenSSL would have ever had anything in common with a Wal-Mart cashier?
The theory of relativity doesn't work right in Arkansas.
Slashdot. News for time travellers from just arriving here from two and half weeks ago.
http://www.openssl.org/news/secadv_20060905.txt
I would hope that all serious users of OpenSSL have already patched this. FreeBSD and Debian were on top of it the same day it was announced. Others too, no doubt.
If only they'd released a 1.0 version that would never have happened...
libguestfs - tools for accessing and modifying virtual machine disk images
Yeah, let's all name our favorite piece of software that already updated this bug which was reported over 20 days ago. A bit of extra spam won't hurt, especially if you can karma whore with Debian and Ubuntu.
Seems they haven't yet issued an update for Mac OS X Panther (which has OpenSSL at 0.9.7i).
It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest. The FreeBSD security advisory has some good info on why. To quote: (emphasis mine)
So yeah, there may be some vulnerable sites out there, but they were already weaker than they should have been, and most sites are likely unaffected. That, coupled with the simplicity of the fix (both as provided in source form and from the OS vendors) makes this a non-story.
noah
I think you ment to reply to the aol thread. This is OpenSSL.
~janus zeal
Mindlessly attacking Windows doesn't make this flaw go away in the open source software, just as saying something bad about China doesn't make the United States the land of the free or the home of the brave. Replying to this message with some inaccurate claim about Windows having a thousand new bugs every day won't make it go away either.
This weakness was first described at the CRYPTO conference in August, and a technical explanation of the exploit was public on Aug. 27, Open SSL issued its advisory and patch on Sept. 5 and the Netcraft article cited by ZDNet has been online since Sept. 7. So while this is a potentially problematic security issue, it's not brand new, has been patched by OpenSSL and quite a few vendors have issued patches as well.
RichM
Data Center Knowledge
While I'm as quick to fawn over Google, let's give credit to "Daniel Bleichenbacher, a cryptographer with Bell Labs" for finding it.
To be entirely fair, my understanding is that Bleichenbacher said "hey guys, I just found a bug in some non-openssl crypto code, you guys should check to see if you have a similar bug". It was the people from Google who said "ok, let's look through the openssl source code and see if it does anything dumb like this".
Tarsnap: Online backups for the truly paranoid
From what I remember of the earlier slashdot story, didn't it require a large tail of semi-random junk on the file, and so the consensus it was interesting but unexploitable? Or was that something else...
I use Tic-Tacs you insensitive clod!
==============
openssl (0.9.8a-7ubuntu0.1) dapper-security; urgency=low
* SECURITY UPDATE: signature forgery in some cases.
* Apply http://www.openssl.org/news/patch-CVE-2006-4339.tx t:
- Check excessive data in padding of PKCS #1 v1.5 signatures to prevent applications from incorrectly verifying the certificate.
* References:
CVE-2006-4339
http://www.openssl.org/news/secadv_20060905.txt
This isn't really a problem with buggy coding - it's a crypto math problem that is affected by implementation choices, and new crypto discoveries can hit some code harder than others. The code here was checked very thoroughly by *lots* of people, including some really strong crypto experts, because it's critical code for a lot of people. With RSA signatures, there's a public exponent "e" and a private exponent "d", and e is a pretty arbitrary prime, so it's common to pick a value that lets you do fast calculations. The popular values are 3, 65537, and occasionally 17, and it's hard to find a number x such that x**e mod n == y if you don't know d (or p and q.) The problem is that it's not so hard to find x and some junk such that (x,junk)**e mod n == (y,otherjunk), at least if e is small enough, and the standard ASN.1 code makes it easy to add arbitrary junk. 3 is small enough (and really fast to use), 17 might be, 65537 is pretty safe, and ASN.1 is the Mos Eisley of data representation protocols, a wretched hive of scum and villainy that nobody wants to mess around in. So some people do the right thing in checking the "otherjunk" beyond the y, but not everybody did, and until Bleichenbacher's attack you didn't need to.
Open Source does mean that you *can* update your copy of OpenSSL, without waiting for Microsoft Patch Day - and in the crypto world, the only way to trust anything is for the algorithms and implementation code to be documented and readable. They don't have to be "open" in the sense of "accepting patches from arbitrary people" or "free as in speech, not patented, not copyrighted, guaranteed to make RMS happy", but if you can't see the algorithms or install code you've recompiled from scratch yourself, you can't trust it.
So the fact that you've got to update OpenSSL and link it in to other code is really fine here - if you're paranoid, you need to do it yourself, and you've got the tools to do it; if you're not paranoid, this is a fairly tough exploit to actually do anything useful with, though you could go deleting a few certificates from your browser's security files if you're worried.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
And I suppose you think this is a special feature held by Debian only?
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Remember, foolish boy, if its Windows, its a flaw, if its open source, it must be Microsofts fault for creating a culture of closed code. Finding a bug in anything but MS will somehow spark an inequal response calling out the faults of MS. It's a knee jerk reaction by this crowd because they really don't feel that secure about their position.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
First a huge raft of problems in gzip, now this. Thank you, Google. But you have to wonder--is there a point at which fewer security issues will be found in system software? I mean, it's gzip! It's not like it's some new whizbang technology; this has been around for more than ten years. The real question to be asked is why we're still finding these problems now.
Laws do not persuade just because they threaten. --Seneca
Firefox/Thunderbird had this fix applied in 1.5.0.7, released on 2006/09/14.
Seamonkey had this fix applied in 1.0.5, released on 2006/09/14.
Opera had this fix applied in Opera 9.02, released on 2006/09/21.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Girl, not boy.
ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique.
Did OpenBSD ship with any of this code?
If so, then wouldn't this be Theo's second pwning?
Some common webbrowsers are affected by this attack too. For example, this worked against mozilla firefox and opera in their default configuration. Using this attack, you could do a man in the middle attack against every ssl-connection. Using this attack for digital signatures on emails would have been possible too.
r owser/
There are some details about the affected browsers:
http://www.cdc.informatik.tu-darmstadt.de/secureb
I had submitted the same news on 6th but was rejected by editor.
http://www.heise-security.co.uk/news/77800
There is no security reduction from RSA to factoring, for e=3 or any other e. In fact there's strong evidence that there will never be such a reduction.
In addition, any such security reduction won't apply to PKCS #1.5 - a proper padding method, like OAEP+, must be used for the security reduction to apply.
There is such a reduction for e=2 aka Rabin, but that's not RSA any more, because your equations have multiple solutions. I nonetheless recommend adoption of Rabin everywhere RSA is now used, since it's better in every possible respect.
Xenu loves you!
Will you have sex with me?
... OpenSSH is dead
Don't call me a cowboy, and don't tell me to slow down!
Gah! You need to warn people about your site! The eyes! They burn!!
Because, umm, I wasn't using Linux then? Because it's not insane to ask that programs be written right in the first place? Because auditing an incredibly widely-used library isn't too much to ask? Because crypto is a subtle art, very easy to get wrong, and there aren't that many people who can competently audit crypto code? Because I do file a ton of bug reports (for what I can reproduce) and patches (for what I can code), but I never got around to fuzz-testing gzip, which might have revealed some of its issues?
Laws do not persuade just because they threaten. --Seneca
if openssl also can be attacked by bug, what else should we trust to secure our data?
paid service cant secure our data..and now even the 'secure' open source service cant secure it..so now what we should use? seriously man..what should we use?? any suggestion??
if anyone wonder..here is the definition of OpenSSL.. courtesy of wikipedia.org...
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the four open source BSD operating systems), and also for Microsoft Windows. OpenSSL is based on SSLeay by Eric Young and Tim Hudson, development of which unofficially ended around December 1998, when Tim and Eric both moved to work for RSA Security.
It's been stated in Help Net Security that the only solution to this problem is to:
2 8549
Upgrade to version 0.9.8c, 0.9.7k or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
'No known workarounds' seems like quite an exxageration!
It's normal for technologies to be upgraded, right? But u have to admit though.. everything seems to require regular upgrading nowadays. At least once! Even humans need a so-called self-upgrading. What more technologies which are created by humans?
To those of u (humans), who are still yet to realise what security complications would be seen from this vulnerability issue, here are some of the major classifications effects:
1. Remote vulnerability
2. Impact on integrity
3. Exploit unknown
4. Verified
http://www.net-security.org/vulnerability.php?id=
".. winners don't do different things, they do things differently."
"OpenSSL versions up to 0.9.7j and 0.9.8b" The software package created above is not a predictable program because it is vulnerable to signature forgery technique although it uses strong cryptography.
There are multiple ways to avoid this vulnerability. Any one of the following measures is sufficient. 1. Upgrade the OpenSSL server software. The vulnerability is resolved in the following versions of OpenSSL: - in the 0.9.7 branch, version 0.9.7k (or later); - in the 0.9.8 branch, version 0.9.8c (or later). OpenSSL 0.9.8c and OpenSSL 0.9.7k are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.8c.tar.gz MD5 checksum: 78454bec556bcb4c45129428a766c886 SHA1 checksum: d0798e5c7c4509d96224136198fa44f7f90e001d o openssl-0.9.7k.tar.gz MD5 checksum: be6bba1d67b26eabb48cf1774925416f SHA1 checksum: 90056b8f5e518edc9f74f66784fbdcfd9b784dd2 The checksums were calculated using the following commands: openssl md5 openssl-0.9*.tar.gz openssl sha1 openssl-0.9*.tar.gz 2. If this version upgrade is not an option at the present time, alternatively the following patch may be applied to the OpenSSL source code to resolve the problem. The patch is compatible with the 0.9.6, 0.9.7, 0.9.8, and 0.9.9 branches of OpenSSL. o http://www.openssl.org/news/patch-CVE-2006-4339.tx t
Whether you choose to upgrade to a new version or to apply the patch,
make sure to recompile any applications statically linked to OpenSSL
libraries.
although this bug has been fixed in ssl. browsers are also affected by it. the attack requires that one of the accepted certificate authorities uses an RSA key with the exponent 3. all of the major browsers have such a CA. browsers like IE and safari are not affected by this. In firefox however it is affected but there already exists a fix from version 1.5.0.7 so no need to worry if youre using firefox and youre up to date. konqueror meanwhile uses opsnssl libraries and is not affected is it is up to date. the only browser that is still affected is opera. the update is not yet available and will only be available "soon". It is recommended that you remove opera until an update is made available. this problem also does not affect only browsers. it effects programs that use X.509 certificates. cheers.
oh then jus update it!! that is why we have many versions dont we.
OpenSSL 0.9.8 was released on July 5, 2005 announcement. OpenSSL 0.9.7 was released on December 31, 2002. OpenSSL 0.9.6 was released on September 25, 2000. OpenSSL 0.9.5 was released on February 28, 2000. OpenSSL 0.9.4 was released on August 9, 1999. OpenSSL 0.9.3 was released on May 25, 1999.