CVE-2006-2940

Severity

78%

Complexity

99%

Confidentiality

115%

OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.

OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.

CVSS 2.0 Base Score 7.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C).

Overview

Type

OpenSSL Project OpenSSL

First reported 18 years ago

2006-09-28 18:07:00

Last updated 6 years ago

2018-10-18 16:44:00

Affected Software

OpenSSL Project OpenSSL 0.9.1c

0.9.1c

OpenSSL Project OpenSSL 0.9.2b

0.9.2b

OpenSSL Project OpenSSL 0.9.3

0.9.3

OpenSSL Project OpenSSL 0.9.3a

0.9.3a

OpenSSL Project OpenSSL 0.9.4

0.9.4

OpenSSL Project OpenSSL 0.9.5

0.9.5

OpenSSL Project OpenSSL 0.9.5 Beta1

0.9.5

OpenSSL Project OpenSSL 0.9.5 Beta2

0.9.5

OpenSSL Project OpenSSL 0.9.5a

0.9.5a

OpenSSL Project OpenSSL 0.9.5a Beta1

0.9.5a

OpenSSL Project OpenSSL 0.9.5a Beta2

0.9.5a

OpenSSL Project OpenSSL 0.9.6

0.9.6

OpenSSL Project OpenSSL 0.9.6 Beta1

0.9.6

OpenSSL Project OpenSSL 0.9.6 Beta2

0.9.6

OpenSSL Project OpenSSL 0.9.6 Beta3

0.9.6

OpenSSL Project OpenSSL 0.9.6a

0.9.6a

OpenSSL Project OpenSSL 0.9.6a Beta1

0.9.6a

OpenSSL Project OpenSSL 0.9.6a Beta2

0.9.6a

OpenSSL Project OpenSSL 0.9.6a Beta3

0.9.6a

OpenSSL Project OpenSSL 0.9.6b

0.9.6b

OpenSSL Project OpenSSL 0.9.6c

0.9.6c

OpenSSL Project OpenSSL 0.9.6d

0.9.6d

OpenSSL Project OpenSSL 0.9.6e

0.9.6e

OpenSSL Project OpenSSL 0.9.6f

0.9.6f

OpenSSL Project OpenSSL 0.9.6g

0.9.6g

OpenSSL Project OpenSSL 0.9.6h

0.9.6h

OpenSSL Project OpenSSL 0.9.6i

0.9.6i

OpenSSL Project OpenSSL 0.9.6j

0.9.6j

OpenSSL Project OpenSSL 0.9.6k

0.9.6k

OpenSSL Project OpenSSL 0.9.6l

0.9.6l

OpenSSL Project OpenSSL 0.9.6m

0.9.6m

OpenSSL Project OpenSSL 0.9.7

0.9.7

OpenSSL Project OpenSSL 0.9.7a

0.9.7a

OpenSSL Project OpenSSL 0.9.7b

0.9.7b

OpenSSL Project OpenSSL 0.9.7c

0.9.7c

OpenSSL Project OpenSSL 0.9.7d

0.9.7d

OpenSSL Project OpenSSL 0.9.7e

0.9.7e

OpenSSL Project OpenSSL 0.9.7f

0.9.7f

OpenSSL Project OpenSSL 0.9.7g

0.9.7g

OpenSSL Project OpenSSL 0.9.7h

0.9.7h

OpenSSL Project OpenSSL 0.9.7i

0.9.7i

OpenSSL Project OpenSSL 0.9.7j

0.9.7j

OpenSSL Project OpenSSL 0.9.7k

0.9.7k

OpenSSL Project OpenSSL 0.9.8

0.9.8

OpenSSL Project OpenSSL 0.9.8a

0.9.8a

OpenSSL Project OpenSSL 0.9.8b

0.9.8b

OpenSSL Project OpenSSL 0.9.8c

0.9.8c

References

NetBSD-SA2008-007

20061001-01-P

http://docs.info.apple.com/article.html?artnum=304829

HPSBMA02250

http://issues.rpath.com/browse/RPL-613

HPSBUX02174

SSRT071299

http://kolab.org/security/kolab-vendor-notice-11.txt

APPLE-SA-2006-11-28

20060928 [SECURITY] OpenSSL 0.9.8d and 0.9.7l released

[security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues

[bind-announce] 20061103 Internet Systems Consortium Security Advisory. [revised]

SSRT090208

[3.9] 20061007 013: SECURITY FIX: October 7, 2006

http://openvpn.net/changelog.html

22094

Vendor Advisory

22116

Vendor Advisory

22130

Vendor Advisory

22165

Vendor Advisory

22166

Vendor Advisory

22172

Vendor Advisory

22186

Vendor Advisory

22193

Vendor Advisory

22207

Vendor Advisory

22212

Vendor Advisory

22216

Vendor Advisory

22220

Vendor Advisory

22240

Vendor Advisory

22259

Vendor Advisory

22260

Vendor Advisory

22284

Vendor Advisory

22298

22330

Vendor Advisory

22385

Vendor Advisory

22460

Vendor Advisory

22487

22500

Vendor Advisory

22544

Vendor Advisory

22626

22671

22758

22772

22799

23038

23155

23280

23309

23340

23351

23680

23794

23915

24930

24950

25889

26329

26893

30124

31492

31531

FreeBSD-SA-06:23.openssl

GLSA-200610-11

1016943

1017522

SSA:2006-272-01

http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227

102668

102747

200585

201534

http://support.attachmate.com/techdocs/2374.html

http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm

http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm

http://www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf

http://www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf

20061108 Multiple Vulnerabilities in OpenSSL Library

20061108 Multiple Vulnerabilities in OpenSSL library

DSA-1185

DSA-1195

GLSA-200612-11

MDKSA-2006:172

MDKSA-2006:177

MDKSA-2006:178

SUSE-SR:2006:024

SUSE-SA:2006:058

OpenPKG-SA-2006.021

http://www.openssl.org/news/secadv_20060928.txt

http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html

29261

RHSA-2006:0695

Vendor Advisory

RHSA-2008:0629

20060928 rPSA-2006-0175-1 openssl openssl-scripts

20060929 rPSA-2006-0175-2 openssl openssl-scripts

20070110 VMware ESX server security updates

20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues

20247

22083

28276

http://www.serv-u.com/releasenotes/

2006-0054

USN-353-1

USN-353-2

http://www.uniras.gov.uk/niscc/docs/re-20060928-00661.pdf?lang=en

TA06-333A

US Government Resource

http://www.vmware.com/security/advisories/VMSA-2008-0005.html

http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html

http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html

http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html

http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html

http://www.vmware.com/support/player/doc/releasenotes_player.html

http://www.vmware.com/support/player2/doc/releasenotes_player2.html

http://www.vmware.com/support/server/doc/releasenotes_server.html

http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html

http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html

http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html

http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html

ADV-2006-3820

ADV-2006-3860

ADV-2006-3869

ADV-2006-3902

ADV-2006-3936

ADV-2006-4019

ADV-2006-4036

ADV-2006-4264

ADV-2006-4327

ADV-2006-4329

ADV-2006-4401

ADV-2006-4417

ADV-2006-4750

ADV-2006-4980

ADV-2007-0343

ADV-2007-1401

ADV-2007-2315

ADV-2007-2783

ADV-2008-0905

ADV-2008-2396

http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf

openssl-publickey-dos(29230)

https://issues.rpath.com/browse/RPL-1633

oval:org.mitre.oval:def:10311

SSRT071304

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.