Crypto flaw found in OpenSSL

Researchers have found a way to hack the OpenSSL verification software used in many VPNs and web servers with forged certificates.

The vulnerability affects a specific set of cryptographic X.509 keys known as PKCS #1 v1, and could allow an attacker to have a non-legitimate and forged certificate accepted as real, compromising and unpatched system.

Versions of the software from 0.9.7j to 0.9.8b are said to be at risk, and the open source project has recommended that anyone using the software should update it immediately.

"Implementations may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature," the advisory warns.

Uncovered by Bell Labs' cryptographer Daniel Bleichenbacher, the complex exploit was first shown to fellow professionals at Crypto 2006 last month, but has only recently come to light now that a fix has been made available.

The number of vendors affected by the issue is unknown but believed to be extensive given the popularity of the open source OpenSSL toolkit which is frequently used to implement SSL (secure sockets layer) and TLS (transport layer protocols).

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Bell LabsRSA

Show Comments