FreeBSD : openssl -- Incorrect PKCS#1 v1.5 padding validation in crypto(3) (077c2dca-8f9a-11db-ab33-000e0c2e438a)

This script is Copyright (C) 2006-2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Problem Description When verifying a PKCS#1 v1.5 signature, OpenSSL
ignores any bytes which follow the cryptographic hash being signed. In
a valid signature there will be no such bytes. Impact OpenSSL will
incorrectly report some invalid signatures as valid. When an RSA
public exponent of 3 is used, or more generally when a small public
exponent is used with a relatively large modulus (e.g., a public
exponent of 17 with a 4096-bit modulus), an attacker can construct a
signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.
Workaround No workaround is available.

See also :

http://www.nessus.org/u?5adae70d

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 23951 (freebsd_pkg_077c2dca8f9a11dbab33000e0c2e438a.nasl)

Bugtraq ID: 19849

CVE ID: CVE-2006-4339

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now