CVE-2006-2940

high

Description

OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.

References

https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10311

https://issues.rpath.com/browse/RPL-1633

https://exchange.xforce.ibmcloud.com/vulnerabilities/29230

http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf

http://www.vupen.com/english/advisories/2008/2396

http://www.vupen.com/english/advisories/2008/0905/references

http://www.vupen.com/english/advisories/2007/2783

http://www.vupen.com/english/advisories/2007/2315

http://www.vupen.com/english/advisories/2007/1401

http://www.vupen.com/english/advisories/2007/0343

http://www.vupen.com/english/advisories/2006/4980

http://www.vupen.com/english/advisories/2006/4750

http://www.vupen.com/english/advisories/2006/4417

http://www.vupen.com/english/advisories/2006/4401

http://www.vupen.com/english/advisories/2006/4329

http://www.vupen.com/english/advisories/2006/4327

http://www.vupen.com/english/advisories/2006/4264

http://www.vupen.com/english/advisories/2006/4036

http://www.vupen.com/english/advisories/2006/4019

http://www.vupen.com/english/advisories/2006/3936

http://www.vupen.com/english/advisories/2006/3902

http://www.vupen.com/english/advisories/2006/3869

http://www.vupen.com/english/advisories/2006/3860

http://www.vupen.com/english/advisories/2006/3820

http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html

http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html

http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html

http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html

http://www.vmware.com/support/server/doc/releasenotes_server.html

http://www.vmware.com/support/player2/doc/releasenotes_player2.html

http://www.vmware.com/support/player/doc/releasenotes_player.html

http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html

http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html

http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html

http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html

http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

http://www.vmware.com/security/advisories/VMSA-2008-0005.html

http://www.us-cert.gov/cas/techalerts/TA06-333A.html

http://www.uniras.gov.uk/niscc/docs/re-20060928-00661.pdf?lang=en

http://www.ubuntu.com/usn/usn-353-2

http://www.ubuntu.com/usn/usn-353-1

http://www.trustix.org/errata/2006/0054

http://www.serv-u.com/releasenotes/

http://www.securityfocus.com/bid/28276

http://www.securityfocus.com/bid/22083

http://www.securityfocus.com/bid/20247

http://www.securityfocus.com/archive/1/489739/100/0/threaded

http://www.securityfocus.com/archive/1/456546/100/200/threaded

http://www.securityfocus.com/archive/1/447393/100/0/threaded

http://www.securityfocus.com/archive/1/447318/100/0/threaded

http://www.redhat.com/support/errata/RHSA-2008-0629.html

http://www.redhat.com/support/errata/RHSA-2006-0695.html

http://www.osvdb.org/29261

http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html

http://www.openssl.org/news/secadv_20060928.txt

http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html

http://www.novell.com/linux/security/advisories/2006_58_openssl.html

http://www.novell.com/linux/security/advisories/2006_24_sr.html

http://www.mandriva.com/security/advisories?name=MDKSA-2006:178

http://www.mandriva.com/security/advisories?name=MDKSA-2006:177

http://www.mandriva.com/security/advisories?name=MDKSA-2006:172

http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml

http://www.debian.org/security/2006/dsa-1195

http://www.debian.org/security/2006/dsa-1185

http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html

http://www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf

http://www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf

http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm

http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm

http://support.attachmate.com/techdocs/2374.html

http://sunsolve.sun.com/search/document.do?assetkey=1-66-201534-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-200585-1

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1

http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227

http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946

http://securitytracker.com/id?1017522

http://securitytracker.com/id?1016943

http://security.gentoo.org/glsa/glsa-200610-11.xml

http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc

http://secunia.com/advisories/31531

http://secunia.com/advisories/31492

http://secunia.com/advisories/30124

http://secunia.com/advisories/26893

http://secunia.com/advisories/26329

http://secunia.com/advisories/25889

http://secunia.com/advisories/24950

http://secunia.com/advisories/24930

http://secunia.com/advisories/23915

http://secunia.com/advisories/23794

http://secunia.com/advisories/23680

http://secunia.com/advisories/23351

http://secunia.com/advisories/23340

http://secunia.com/advisories/23309

http://secunia.com/advisories/23280

http://secunia.com/advisories/23155

http://secunia.com/advisories/23038

http://secunia.com/advisories/22799

http://secunia.com/advisories/22772

http://secunia.com/advisories/22758

http://secunia.com/advisories/22671

http://secunia.com/advisories/22626

http://secunia.com/advisories/22544

http://secunia.com/advisories/22500

http://secunia.com/advisories/22487

http://secunia.com/advisories/22460

http://secunia.com/advisories/22385

http://secunia.com/advisories/22330

http://secunia.com/advisories/22298

http://secunia.com/advisories/22284

http://secunia.com/advisories/22260

http://secunia.com/advisories/22259

http://secunia.com/advisories/22240

http://secunia.com/advisories/22220

http://secunia.com/advisories/22216

http://secunia.com/advisories/22212

http://secunia.com/advisories/22207

http://secunia.com/advisories/22193

http://secunia.com/advisories/22186

http://secunia.com/advisories/22172

http://secunia.com/advisories/22166

http://secunia.com/advisories/22165

http://secunia.com/advisories/22130

http://secunia.com/advisories/22116

http://secunia.com/advisories/22094

http://openvpn.net/changelog.html

http://openbsd.org/errata.html#openssl2

http://marc.info/?l=bugtraq&m=130497311408250&w=2

http://marc.info/?l=bind-announce&m=116253119512445&w=2

http://lists.vmware.com/pipermail/security-announce/2008/000008.html

http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html

http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html

http://kolab.org/security/kolab-vendor-notice-11.txt

http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540

http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100

http://issues.rpath.com/browse/RPL-613

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771

http://docs.info.apple.com/article.html?artnum=304829

Details

Source: Mitre, NVD

Published: 2006-09-28

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High