RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.
The issue has been addressed in node-forge
1.3.0
.
For more information, please see
“Bleichenbacher’s RSA signature forgery based on implementation error”
by Hal Finney.
If you have any questions or comments about this advisory: