OpenSSL signatures can be forged
OpenSSL may fail to detect forged digital signatures under certain conditions due to an error in the implementation. The flaw affects all systems that use the OpenSSL library, and in particular servers secured with SSL/TLS and VPNs based on SSL/TLS. OpenSSL versions 0.9.7k and 0.9.8c have eliminated the vulnerability.
The security notice from the OpenSSL team states that attacks are only possible if a Certificate Authority (CA) uses an RSA key with the Exponent 3 for X.509 certificates. It does not note how one can determine this concretely, however, and the advisory acknowledges that this kind of key is quite common. An attacker could forge a signature that is admitted as correct, since the OpenSSL implementation does not check whether the RSA signature contains superfluous data. All users should therefore upgrade to the new version. OpenSSL is also releasing patches for versions 0.9.6, 0.9.7, 0.9.8 and 0.9.9 as an alternative.
- Security Advisory from the OpenSSL team
- Bleichenbacher's RSA signature forgery based on implementation error