CVE-2006-2940
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
AI Score
Confidence
High
EPSS
Percentile
94.8%
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) “public exponent” or (2) “public modulus” values in X.509 certificates that require extra time to process when using RSA signature verification.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| openssl | openssl | 0.9.7d | cpe:/a:openssl:openssl:0.9.7d::: |
| openssl | openssl | 0.9.6h | cpe:/a:openssl:openssl:0.9.6h::: |
| openssl | openssl | 0.9.6l | cpe:/a:openssl:openssl:0.9.6l::: |
| openssl | openssl | 0.9.6 | cpe:/a:openssl:openssl:0.9.6:beta3:: |
| openssl | openssl | 0.9.5a | cpe:/a:openssl:openssl:0.9.5a:beta2:: |
| openssl | openssl | 0.9.2b | cpe:/a:openssl:openssl:0.9.2b::: |
| openssl | openssl | 0.9.5a | cpe:/a:openssl:openssl:0.9.5a:beta1:: |
| openssl | openssl | 0.9.7b | cpe:/a:openssl:openssl:0.9.7b::: |
| openssl | openssl | 0.9.6a | cpe:/a:openssl:openssl:0.9.6a::: |
| openssl | openssl | 0.9.6c | cpe:/a:openssl:openssl:0.9.6c::: |
References
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
docs.info.apple.com/article.html?artnum=304829
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
issues.rpath.com/browse/RPL-613
itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
kolab.org/security/kolab-vendor-notice-11.txt
lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
lists.vmware.com/pipermail/security-announce/2008/000008.html
marc.info/?l=bind-announce&m=116253119512445&w=2
marc.info/?l=bugtraq&m=130497311408250&w=2
openbsd.org/errata.html#openssl2
openvpn.net/changelog.html
secunia.com/advisories/22094
secunia.com/advisories/22116
secunia.com/advisories/22130
secunia.com/advisories/22165
secunia.com/advisories/22166
secunia.com/advisories/22172
secunia.com/advisories/22186
secunia.com/advisories/22193
secunia.com/advisories/22207
secunia.com/advisories/22212
secunia.com/advisories/22216
secunia.com/advisories/22220
secunia.com/advisories/22240
secunia.com/advisories/22259
secunia.com/advisories/22260
secunia.com/advisories/22284
secunia.com/advisories/22298
secunia.com/advisories/22330
secunia.com/advisories/22385
secunia.com/advisories/22460
secunia.com/advisories/22487
secunia.com/advisories/22500
secunia.com/advisories/22544
secunia.com/advisories/22626
secunia.com/advisories/22671
secunia.com/advisories/22758
secunia.com/advisories/22772
secunia.com/advisories/22799
secunia.com/advisories/23038
secunia.com/advisories/23155
secunia.com/advisories/23280
secunia.com/advisories/23309
secunia.com/advisories/23340
secunia.com/advisories/23351
secunia.com/advisories/23680
secunia.com/advisories/23794
secunia.com/advisories/23915
secunia.com/advisories/24930
secunia.com/advisories/24950
secunia.com/advisories/25889
secunia.com/advisories/26329
secunia.com/advisories/26893
secunia.com/advisories/30124
secunia.com/advisories/31492
secunia.com/advisories/31531
security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
security.gentoo.org/glsa/glsa-200610-11.xml
securitytracker.com/id?1016943
securitytracker.com/id?1017522
slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
sunsolve.sun.com/search/document.do?assetkey=1-66-200585-1
sunsolve.sun.com/search/document.do?assetkey=1-66-201534-1
support.attachmate.com/techdocs/2374.html
support.avaya.com/elmodocs2/security/ASA-2006-220.htm
support.avaya.com/elmodocs2/security/ASA-2006-260.htm
www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf
www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf
www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
www.debian.org/security/2006/dsa-1185
www.debian.org/security/2006/dsa-1195
www.gentoo.org/security/en/glsa/glsa-200612-11.xml
www.mandriva.com/security/advisories?name=MDKSA-2006:172
www.mandriva.com/security/advisories?name=MDKSA-2006:177
www.mandriva.com/security/advisories?name=MDKSA-2006:178
www.novell.com/linux/security/advisories/2006_24_sr.html
www.novell.com/linux/security/advisories/2006_58_openssl.html
www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
www.openssl.org/news/secadv_20060928.txt
www.oracle.com/technetwork/topics/security/cpujan2007-101493.html
www.osvdb.org/29261
www.redhat.com/support/errata/RHSA-2006-0695.html
www.redhat.com/support/errata/RHSA-2008-0629.html
www.securityfocus.com/archive/1/447318/100/0/threaded
www.securityfocus.com/archive/1/447393/100/0/threaded
www.securityfocus.com/archive/1/456546/100/200/threaded
www.securityfocus.com/archive/1/489739/100/0/threaded
www.securityfocus.com/bid/20247
www.securityfocus.com/bid/22083
www.securityfocus.com/bid/28276
www.serv-u.com/releasenotes/
www.trustix.org/errata/2006/0054
www.ubuntu.com/usn/usn-353-1
www.ubuntu.com/usn/usn-353-2
www.uniras.gov.uk/niscc/docs/re-20060928-00661.pdf?lang=en
www.us-cert.gov/cas/techalerts/TA06-333A.html
www.vmware.com/security/advisories/VMSA-2008-0005.html
www.vmware.com/support/ace2/doc/releasenotes_ace2.html
www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
www.vmware.com/support/player/doc/releasenotes_player.html
www.vmware.com/support/player2/doc/releasenotes_player2.html
www.vmware.com/support/server/doc/releasenotes_server.html
www.vmware.com/support/vi3/doc/esx-3069097-patch.html
www.vmware.com/support/vi3/doc/esx-9986131-patch.html
www.vmware.com/support/ws55/doc/releasenotes_ws55.html
www.vmware.com/support/ws6/doc/releasenotes_ws6.html
www.vupen.com/english/advisories/2006/3820
www.vupen.com/english/advisories/2006/3860
www.vupen.com/english/advisories/2006/3869
www.vupen.com/english/advisories/2006/3902
www.vupen.com/english/advisories/2006/3936
www.vupen.com/english/advisories/2006/4019
www.vupen.com/english/advisories/2006/4036
www.vupen.com/english/advisories/2006/4264
www.vupen.com/english/advisories/2006/4327
www.vupen.com/english/advisories/2006/4329
www.vupen.com/english/advisories/2006/4401
www.vupen.com/english/advisories/2006/4417
www.vupen.com/english/advisories/2006/4750
www.vupen.com/english/advisories/2006/4980
www.vupen.com/english/advisories/2007/0343
www.vupen.com/english/advisories/2007/1401
www.vupen.com/english/advisories/2007/2315
www.vupen.com/english/advisories/2007/2783
www.vupen.com/english/advisories/2008/0905/references
www.vupen.com/english/advisories/2008/2396
www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
exchange.xforce.ibmcloud.com/vulnerabilities/29230
issues.rpath.com/browse/RPL-1633
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10311
www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
AI Score
Confidence
High
EPSS
Percentile
94.8%