| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Aug 2004 17:18:46 +0200 From: Patrik Hornik <patrik@...nik.sk> To: bugtraq@...urityfocus.com Subject: SA-20040802 GnuTLS certificate chain verification bug -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ====================================================================== Security advisory 20040802 - ---------------------------------------------------------------------- Product: GnuTLS Vulnerability type: wrong algorithm Impact: DoS Severity: low Issue date: 2004/08/02 Last updated: 2004/08/02 ====================================================================== Description - ----------- Mr. Hornik has discovered error in X.509 certificate chain verification procedure in GnuTLS library. The certificate chain should be verified from last root certificate to the first certificate. Otherwise a lot of unauthorized CPU processing can be forced to check certificate signatures signed with arbitrary RSA/DSA keys chosen by attacker. In GnuTLS the signatures are checked from first to last certificate, there is no limit on size of keys and no limit on length of certificate chain. Vulnerability - ------------- GnuTLS library checks the signatures from first to last root certificate of chain, there is no limit on size of keys and no limit on length of certificate chain. So attacker can construct such certificate chain that signature signed with chosen RSA key with chosen size will be verified. This is not the case when verifying from last root certificate to first - there are checked signatures signed by trusted certificates and so trusted keys only. The main problem is that size of key can be chosen - with RSA keys the complexity of verifying signature is dependent on square of key size. So for example verifying signature signed with 32768 bit RSA key takes approximately 1024 times longer than verifying signature signed with 1024 bit RSA key (with simillar bit length of e). Because RSA verification is not simple operation with longer keys one verification takes such significant amount of processing power that you can effectively launch DoS on CPU resources of remote machine running GnuTLS. Who is affected? - ---------------- Affected are all users using GnuTLS library version 1.0.16 and below for verifying X.509 certificate chains. The version 1.0.17 with this issue fixed by introducing some limits on key size and chain length is available from vendor together with this announcement. Recommendations - --------------- Upgrade your GnuTLS library to the version 1.0.17 or later with this issue fixed and restart all dependant applications if needed. References - ---------- This security advisory: http://www.hornik.sk/SA/SA-20040802.txt GnuTLS: http://www.gnu.org/software/gnutls/ Contact - ------- Patrik Hornik - -- Email: patrik@...nik.sk Phone: +421 905 385 666 PGP KeyID: 940AA357 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBQQ5KKp4J6KGUCqNXEQK5tACgo9/t1cSCvaihE1yy/N/wvPXCvowAoOlA v0adXHcIJyrMsHlmmwVCC58v =c6Re -----END PGP SIGNATURE-----
Powered by blists - more mailing lists