OpenSSL RSA Signature Forgery Vulnerability

OpenSSL versions 0.9.7j and prior and 0.9.8b and prior contain a vulnerability that could allow an unauthenticated, remote attacker to successfully pass a forged X.509 certificate.

The vulnerability could allow an unauthenticated, remote attacker to pass a forged Public-Key Cryptography Standards (PKCS)#1 Version 1.5 signature when signed by a certain type of RSA key. An attacker could exploit the vulnerability to access certificate-protected resources.

OpenSSL confirmed the vulnerability in a security advisory and released updated versions.

This vulnerability affects PKCS #1 v1.5 signatures if the exponent of the public key is 3, which is widely used by Certificate Authorities. An attacker will likely exploit this vulnerability to forge signatures without the secret key. PKCS #1 v1.5 is often utilized within X.509 certificates; therefore, all applications that use OpenSSL to verify X.509 certificates may be vulnerable, including software that uses OpenSSL for SSL or TLS.