|
Posted: January 18, 2007
Description
According to CERT Vulnerability Note VU#845620, "Many RSA implementations
may fail to properly verify signatures. Specifically, the verifier
may incorrectly parse PKCS-1 padded signatures, ignoring data at
the end of a signature. If this data is ignored and a RSA key with
a public exponent of three is used, it may be possible to forge the
signing key's signature."
VShell, SecureCRT, and SecureFX
no longer generate keys with a public exponent of three. VShell
has an option that disallows keys with
a public exponent of three from being used for authentication.
SecureCRT and SecureFX warn before a key with a public exponent
of three is
used for authentication or accepted from a host.
|
Affected Software Versions
|
|
SecureCRT version 5.2.1 and earlier
SecureFX version 4.0.1 and earlier
VShell version 2.6.2 and earlier for Windows, Red Hat Linux, HP-UX, AIX, and Solaris.
|
| |
|
Vulnerability Fix Downloads
|
|
VShell 3.0 or later *
SecureCRT 5.2.2 or later.
SecureFX 4.0.2 or later.
* This vulnerability will be addressed in VShell 3.0, which has not
yet been officially released. Please contact VanDyke Software technical support if you are interested in trying a pre-release
version.
|
| |
|
Technical Support
|
If you have any questions concerning upgrade eligibility
in response to this security advisory, please contact
VanDyke Software.
|
| |
|
Official Postings
|
US-CERT published an advisory
on this vulnerability on 09/21/2006.
|
| |
|
Revision History
|
January 18, 2007 - Security Advisory published.
|
|
