Vulnerability Description
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | 0.9.1c |
Related Weaknesses (CWE)
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc
- ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
- http://docs.info.apple.com/article.html?artnum=304829
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
- http://issues.rpath.com/browse/RPL-613
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
- http://kolab.org/security/kolab-vendor-notice-11.txt
- http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
- http://lists.vmware.com/pipermail/security-announce/2008/000008.html
- http://marc.info/?l=bind-announce&m=116253119512445&w=2
- http://marc.info/?l=bugtraq&m=130497311408250&w=2
- http://openbsd.org/errata.html#openssl2
- http://openvpn.net/changelog.html
FAQ
What is CVE-2006-2940?
CVE-2006-2940 is a vulnerability with a CVSS score of 7.8 (HIGH). OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2)...
How severe is CVE-2006-2940?
CVE-2006-2940 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2006-2940?
Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl.