CVE-2006-2940

HIGH

Description

OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.

References

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc

ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc

http://docs.info.apple.com/article.html?artnum=304829

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771

http://issues.rpath.com/browse/RPL-613

http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100

http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540

http://kolab.org/security/kolab-vendor-notice-11.txt

http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html

http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html

http://lists.vmware.com/pipermail/security-announce/2008/000008.html

http://marc.info/?l=bind-announce&m=116253119512445&w=2

http://marc.info/?l=bugtraq&m=130497311408250&w=2

http://openbsd.org/errata.html#openssl2

http://openvpn.net/changelog.html

http://secunia.com/advisories/22094

http://secunia.com/advisories/22116

http://secunia.com/advisories/22130

http://secunia.com/advisories/22165

http://secunia.com/advisories/22166

http://secunia.com/advisories/22172

http://secunia.com/advisories/22186

http://secunia.com/advisories/22193

http://secunia.com/advisories/22207

http://secunia.com/advisories/22212

http://secunia.com/advisories/22216

http://secunia.com/advisories/22220

http://secunia.com/advisories/22240

http://secunia.com/advisories/22259

http://secunia.com/advisories/22260

http://secunia.com/advisories/22284

http://secunia.com/advisories/22298

http://secunia.com/advisories/22330

http://secunia.com/advisories/22385

http://secunia.com/advisories/22460

http://secunia.com/advisories/22487

http://secunia.com/advisories/22500

http://secunia.com/advisories/22544

http://secunia.com/advisories/22626

http://secunia.com/advisories/22671

http://secunia.com/advisories/22758

http://secunia.com/advisories/22772

http://secunia.com/advisories/22799

http://secunia.com/advisories/23038

http://secunia.com/advisories/23155

http://secunia.com/advisories/23280

http://secunia.com/advisories/23309

http://secunia.com/advisories/23340

http://secunia.com/advisories/23351

http://secunia.com/advisories/23680

http://secunia.com/advisories/23794

http://secunia.com/advisories/23915

http://secunia.com/advisories/24930

http://secunia.com/advisories/24950

http://secunia.com/advisories/25889

http://secunia.com/advisories/26329

http://secunia.com/advisories/26893

http://secunia.com/advisories/30124

http://secunia.com/advisories/31492

http://secunia.com/advisories/31531

http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc

http://security.gentoo.org/glsa/glsa-200610-11.xml

http://securitytracker.com/id?1016943

http://securitytracker.com/id?1017522

http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946

http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-200585-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-201534-1

http://support.attachmate.com/techdocs/2374.html

http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm

http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm

http://www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf

http://www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html

http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml

http://www.debian.org/security/2006/dsa-1185

http://www.debian.org/security/2006/dsa-1195

http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml

http://www.mandriva.com/security/advisories?name=MDKSA-2006:172

http://www.mandriva.com/security/advisories?name=MDKSA-2006:177

http://www.mandriva.com/security/advisories?name=MDKSA-2006:178

http://www.novell.com/linux/security/advisories/2006_24_sr.html

http://www.novell.com/linux/security/advisories/2006_58_openssl.html

http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html

http://www.openssl.org/news/secadv_20060928.txt

http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html

http://www.osvdb.org/29261

http://www.redhat.com/support/errata/RHSA-2006-0695.html

http://www.redhat.com/support/errata/RHSA-2008-0629.html

http://www.securityfocus.com/archive/1/447318/100/0/threaded

http://www.securityfocus.com/archive/1/447393/100/0/threaded

http://www.securityfocus.com/archive/1/456546/100/200/threaded

http://www.securityfocus.com/archive/1/489739/100/0/threaded

http://www.securityfocus.com/bid/20247

http://www.securityfocus.com/bid/22083

http://www.securityfocus.com/bid/28276

http://www.serv-u.com/releasenotes/

http://www.trustix.org/errata/2006/0054

http://www.ubuntu.com/usn/usn-353-1

http://www.ubuntu.com/usn/usn-353-2

http://www.uniras.gov.uk/niscc/docs/re-20060928-00661.pdf?lang=en

http://www.us-cert.gov/cas/techalerts/TA06-333A.html

http://www.vmware.com/security/advisories/VMSA-2008-0005.html

http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html

http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html

http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html

http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html

http://www.vmware.com/support/player/doc/releasenotes_player.html

http://www.vmware.com/support/player2/doc/releasenotes_player2.html

http://www.vmware.com/support/server/doc/releasenotes_server.html

http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html

http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html

http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html

http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html

http://www.vupen.com/english/advisories/2006/3820

http://www.vupen.com/english/advisories/2006/3860

http://www.vupen.com/english/advisories/2006/3869

http://www.vupen.com/english/advisories/2006/3902

http://www.vupen.com/english/advisories/2006/3936

http://www.vupen.com/english/advisories/2006/4019

http://www.vupen.com/english/advisories/2006/4036

http://www.vupen.com/english/advisories/2006/4264

http://www.vupen.com/english/advisories/2006/4327

http://www.vupen.com/english/advisories/2006/4329

http://www.vupen.com/english/advisories/2006/4401

http://www.vupen.com/english/advisories/2006/4417

http://www.vupen.com/english/advisories/2006/4750

http://www.vupen.com/english/advisories/2006/4980

http://www.vupen.com/english/advisories/2007/0343

http://www.vupen.com/english/advisories/2007/1401

http://www.vupen.com/english/advisories/2007/2315

http://www.vupen.com/english/advisories/2007/2783

http://www.vupen.com/english/advisories/2008/0905/references

http://www.vupen.com/english/advisories/2008/2396

http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf

https://exchange.xforce.ibmcloud.com/vulnerabilities/29230

https://issues.rpath.com/browse/RPL-1633

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10311

https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144

Details

Source: MITRE

Published: 2006-09-28

Updated: 2018-10-18

Type: CWE-399

Risk Information

CVSS v2.0

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 10

Severity: HIGH