Slashdot Mirror
OpenSSL Hit by Forgery Bug
Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."
Wonder if Google Desktop search can help me find all the bugs in Windows...
Way to be about 2 weeks behind the news, slashdot.
ha
I think I'm hearing the echo of someone saying that there was no hole, and that it was Pres. Bush ordering a new backdoor be put into it. "Its to protect us from the terrorists, and that's not evil."
rewriting history since 2109
This one is already fixed in Debian's openssl version 0.9.8b-3 in -testing (-unstable now has 0.9.8c-1), and 0.9.7e-3sarge2 in -stable-security.
This is one of the reasons I run Debian. Important things like this get fixed quickly and updating is painless, thanks to apt-get.
I expect that Ubuntu is similarly responsive. I know that it's just as easy to keep updated, since they use the same packaging and dependency-tracking mechanisms.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique.
Who knew that OpenSSL would have ever had anything in common with a Wal-Mart cashier?
The theory of relativity doesn't work right in Arkansas.
Bart: Homer, how can this be possible? Homer: Fire up the klystron, Bart, theres only two days left Bart: Lisa, is this true? Lisa: I've run out of garlic, someone go and get some more Maggie: Its in the greenhouse, but I can't go in, I'm allergic to trowels Homer: D'oh!
and the strikixng is the worst off vary for different Keep unnecessary fanatic known
you mean some sleazball lawyer will sue a sleazball company and try to monitize this "leak" for his own gain. Then every user of AOL will get about .02 cents.... but STILL they cant uninstall AOL... wow, where did I put that AOL coffee coaster. who cares.
Get:1 http://ftp.debian.org/ unstable/main libssl0.9.7 0.9.7k-1 [2279kB]
Slashdot. News for time travellers from just arriving here from two and half weeks ago.
http://www.openssl.org/news/secadv_20060905.txt
I would hope that all serious users of OpenSSL have already patched this. FreeBSD and Debian were on top of it the same day it was announced. Others too, no doubt.
If only they'd released a 1.0 version that would never have happened...
libguestfs - tools for accessing and modifying virtual machine disk images
Seems they haven't yet issued an update for Mac OS X Panther (which has OpenSSL at 0.9.7i).
It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest. The FreeBSD security advisory has some good info on why. To quote: (emphasis mine)
So yeah, there may be some vulnerable sites out there, but they were already weaker than they should have been, and most sites are likely unaffected. That, coupled with the simplicity of the fix (both as provided in source form and from the OS vendors) makes this a non-story.
noah
This weakness was first described at the CRYPTO conference in August, and a technical explanation of the exploit was public on Aug. 27, Open SSL issued its advisory and patch on Sept. 5 and the Netcraft article cited by ZDNet has been online since Sept. 7. So while this is a potentially problematic security issue, it's not brand new, has been patched by OpenSSL and quite a few vendors have issued patches as well.
RichM
Data Center Knowledge
From what I remember of the earlier slashdot story, didn't it require a large tail of semi-random junk on the file, and so the consensus it was interesting but unexploitable? Or was that something else...
You can't apply a technological solution to a social problem. Resellers will sell certs to anyone and no one even bother to have their certs signed anymore. Even my uni don't have a signed cert. You see messages like "if you browsers say that the certificate authority isn't knowned just click accept" and people just do that. Do anyone even understand what that message mean? I mean anyone not in CS and even then I'm not sure that most people grasp how the trust is supposed to go from Verisign down to your browser. Frankly I don't see what SSL _can_ protect. Unless anyone can understand how it works, the passing of certificates is doomed to be useles.
One of the fallacies of the open source movement is the belief that all the users access the code and help each other out in order to build the perfect software. How many people look at this and that in the linux source to find all the bugs? Millions? More like 3-4. And that's generous because it's probably just the developer doing the code while rest give a quick gaze at checkin.
In the case of security, the lack of real benevolent oversight is compounded by constant verification by hackers and criminals in order to find the smallest security lapse. Then, they share the knowledge amongst each other and then they are free to wreck havock. Wreck havoc not until a fix is produced, that's usually done pretty quickly, but until the fix propagates everywhere.
Someone who uses any open source software must constantly look at the news, like on slashdot, to see if they need to download a new version of the software. If they miss a day, they can be 100% vulnerable.
Now everybody who uses OpenSSL embedded in whatever application must carefully wait for an update to become available to that particular software. Who knows when? Until then, they are completely vulnerable to anyone who can read a usenet post.
Linux violates 235 Microsoft patents.
This isn't really a problem with buggy coding - it's a crypto math problem that is affected by implementation choices, and new crypto discoveries can hit some code harder than others. The code here was checked very thoroughly by *lots* of people, including some really strong crypto experts, because it's critical code for a lot of people. With RSA signatures, there's a public exponent "e" and a private exponent "d", and e is a pretty arbitrary prime, so it's common to pick a value that lets you do fast calculations. The popular values are 3, 65537, and occasionally 17, and it's hard to find a number x such that x**e mod n == y if you don't know d (or p and q.) The problem is that it's not so hard to find x and some junk such that (x,junk)**e mod n == (y,otherjunk), at least if e is small enough, and the standard ASN.1 code makes it easy to add arbitrary junk. 3 is small enough (and really fast to use), 17 might be, 65537 is pretty safe, and ASN.1 is the Mos Eisley of data representation protocols, a wretched hive of scum and villainy that nobody wants to mess around in. So some people do the right thing in checking the "otherjunk" beyond the y, but not everybody did, and until Bleichenbacher's attack you didn't need to.
Open Source does mean that you *can* update your copy of OpenSSL, without waiting for Microsoft Patch Day - and in the crypto world, the only way to trust anything is for the algorithms and implementation code to be documented and readable. They don't have to be "open" in the sense of "accepting patches from arbitrary people" or "free as in speech, not patented, not copyrighted, guaranteed to make RMS happy", but if you can't see the algorithms or install code you've recompiled from scratch yourself, you can't trust it.
So the fact that you've got to update OpenSSL and link it in to other code is really fine here - if you're paranoid, you need to do it yourself, and you've got the tools to do it; if you're not paranoid, this is a fairly tough exploit to actually do anything useful with, though you could go deleting a few certificates from your browser's security files if you're worried.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
First a huge raft of problems in gzip, now this. Thank you, Google. But you have to wonder--is there a point at which fewer security issues will be found in system software? I mean, it's gzip! It's not like it's some new whizbang technology; this has been around for more than ten years. The real question to be asked is why we're still finding these problems now.
Laws do not persuade just because they threaten. --Seneca
Firefox/Thunderbird had this fix applied in 1.5.0.7, released on 2006/09/14.
Seamonkey had this fix applied in 1.0.5, released on 2006/09/14.
Opera had this fix applied in Opera 9.02, released on 2006/09/21.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique.
Did OpenBSD ship with any of this code?
If so, then wouldn't this be Theo's second pwning?
Some common webbrowsers are affected by this attack too. For example, this worked against mozilla firefox and opera in their default configuration. Using this attack, you could do a man in the middle attack against every ssl-connection. Using this attack for digital signatures on emails would have been possible too.
r owser/
There are some details about the affected browsers:
http://www.cdc.informatik.tu-darmstadt.de/secureb
I had submitted the same news on 6th but was rejected by editor.
http://www.heise-security.co.uk/news/77800
There is no security reduction from RSA to factoring, for e=3 or any other e. In fact there's strong evidence that there will never be such a reduction.
In addition, any such security reduction won't apply to PKCS #1.5 - a proper padding method, like OAEP+, must be used for the security reduction to apply.
There is such a reduction for e=2 aka Rabin, but that's not RSA any more, because your equations have multiple solutions. I nonetheless recommend adoption of Rabin everywhere RSA is now used, since it's better in every possible respect.
Xenu loves you!
... OpenSSH is dead
Don't call me a cowboy, and don't tell me to slow down!
Because, umm, I wasn't using Linux then? Because it's not insane to ask that programs be written right in the first place? Because auditing an incredibly widely-used library isn't too much to ask? Because crypto is a subtle art, very easy to get wrong, and there aren't that many people who can competently audit crypto code? Because I do file a ton of bug reports (for what I can reproduce) and patches (for what I can code), but I never got around to fuzz-testing gzip, which might have revealed some of its issues?
Laws do not persuade just because they threaten. --Seneca
if openssl also can be attacked by bug, what else should we trust to secure our data?
paid service cant secure our data..and now even the 'secure' open source service cant secure it..so now what we should use? seriously man..what should we use?? any suggestion??
if anyone wonder..here is the definition of OpenSSL.. courtesy of wikipedia.org...
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the four open source BSD operating systems), and also for Microsoft Windows. OpenSSL is based on SSLeay by Eric Young and Tim Hudson, development of which unofficially ended around December 1998, when Tim and Eric both moved to work for RSA Security.
It's been stated in Help Net Security that the only solution to this problem is to:
2 8549
Upgrade to version 0.9.8c, 0.9.7k or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
'No known workarounds' seems like quite an exxageration!
It's normal for technologies to be upgraded, right? But u have to admit though.. everything seems to require regular upgrading nowadays. At least once! Even humans need a so-called self-upgrading. What more technologies which are created by humans?
To those of u (humans), who are still yet to realise what security complications would be seen from this vulnerability issue, here are some of the major classifications effects:
1. Remote vulnerability
2. Impact on integrity
3. Exploit unknown
4. Verified
http://www.net-security.org/vulnerability.php?id=
".. winners don't do different things, they do things differently."
"OpenSSL versions up to 0.9.7j and 0.9.8b" The software package created above is not a predictable program because it is vulnerable to signature forgery technique although it uses strong cryptography.
There are multiple ways to avoid this vulnerability. Any one of the following measures is sufficient. 1. Upgrade the OpenSSL server software. The vulnerability is resolved in the following versions of OpenSSL: - in the 0.9.7 branch, version 0.9.7k (or later); - in the 0.9.8 branch, version 0.9.8c (or later). OpenSSL 0.9.8c and OpenSSL 0.9.7k are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.8c.tar.gz MD5 checksum: 78454bec556bcb4c45129428a766c886 SHA1 checksum: d0798e5c7c4509d96224136198fa44f7f90e001d o openssl-0.9.7k.tar.gz MD5 checksum: be6bba1d67b26eabb48cf1774925416f SHA1 checksum: 90056b8f5e518edc9f74f66784fbdcfd9b784dd2 The checksums were calculated using the following commands: openssl md5 openssl-0.9*.tar.gz openssl sha1 openssl-0.9*.tar.gz 2. If this version upgrade is not an option at the present time, alternatively the following patch may be applied to the OpenSSL source code to resolve the problem. The patch is compatible with the 0.9.6, 0.9.7, 0.9.8, and 0.9.9 branches of OpenSSL. o http://www.openssl.org/news/patch-CVE-2006-4339.tx t
Whether you choose to upgrade to a new version or to apply the patch,
make sure to recompile any applications statically linked to OpenSSL
libraries.
although this bug has been fixed in ssl. browsers are also affected by it. the attack requires that one of the accepted certificate authorities uses an RSA key with the exponent 3. all of the major browsers have such a CA. browsers like IE and safari are not affected by this. In firefox however it is affected but there already exists a fix from version 1.5.0.7 so no need to worry if youre using firefox and youre up to date. konqueror meanwhile uses opsnssl libraries and is not affected is it is up to date. the only browser that is still affected is opera. the update is not yet available and will only be available "soon". It is recommended that you remove opera until an update is made available. this problem also does not affect only browsers. it effects programs that use X.509 certificates. cheers.
oh then jus update it!! that is why we have many versions dont we.
OpenSSL 0.9.8 was released on July 5, 2005 announcement. OpenSSL 0.9.7 was released on December 31, 2002. OpenSSL 0.9.6 was released on September 25, 2000. OpenSSL 0.9.5 was released on February 28, 2000. OpenSSL 0.9.4 was released on August 9, 1999. OpenSSL 0.9.3 was released on May 25, 1999.