Vulnerability Details : CVE-2006-2940
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
Vulnerability category: Denial of service
Products affected by CVE-2006-2940
- cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6l:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6m:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.3a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2006-2940
27.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2006-2940
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST |
CWE ids for CVE-2006-2940
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2006-2940
-
Red Hat 2007-03-14Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
References for CVE-2006-2940
-
http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
AMD64 x86 emulation base libraries: OpenSSL multiple vulnerabilities (GLSA 200612-11) — Gentoo security
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
-
http://www.novell.com/linux/security/advisories/2006_24_sr.html
Security - Support | SUSE
-
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
Cisco: Software, Network, and Cybersecurity Solutions - Cisco
-
http://www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:172
Mandriva
-
http://www.debian.org/security/2006/dsa-1195
[SECURITY] [DSA 1195-1] new openssl096 packages fix denial of service
-
http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
Page not found – Xerox Nav Content- Production
-
http://www.ubuntu.com/usn/usn-353-2
USN-353-2: OpenSSL vulnerability | Ubuntu security notices | Ubuntu
-
http://www.vupen.com/english/advisories/2006/4980
Site en construction
-
http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
Apple - Lists.apple.com
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/29230
-
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
Page not found
-
http://www.vupen.com/english/advisories/2006/3936
Site en construction
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
-
https://issues.rpath.com/browse/RPL-1633
-
http://www.vupen.com/english/advisories/2008/0905/references
Site en construction
-
http://www.novell.com/linux/security/advisories/2006_58_openssl.html
Security - Support | SUSE
-
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200585-1
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10311
404 Not Found
-
http://marc.info/?l=bind-announce&m=116253119512445&w=2
'Internet Systems Consortium Security Advisory. [revised]' - MARC
-
http://www.vmware.com/support/player2/doc/releasenotes_player2.html
Page not found
-
http://www.vupen.com/english/advisories/2007/0343
Site en construction
-
http://www.redhat.com/support/errata/RHSA-2006-0695.html
SupportVendor Advisory
-
http://www.securityfocus.com/bid/22083
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:177
Mandriva
-
http://www.openssl.org/news/secadv_20060928.txt
404 Page not found | Library
-
http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html
Page not found | Oracle
-
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
Page not found
-
http://www.securityfocus.com/archive/1/456546/100/200/threaded
-
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
VMware vSphere Documentation
-
http://kolab.org/security/kolab-vendor-notice-11.txt
Page not found
-
http://issues.rpath.com/browse/RPL-613
-
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
-
http://www.uniras.gov.uk/niscc/docs/re-20060928-00661.pdf?lang=en
-
http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
Page not found
-
http://securitytracker.com/id?1016943
GoDaddy Domain Name Search
-
http://www.vupen.com/english/advisories/2006/4417
Site en construction
-
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
VMware vSphere Documentation
-
http://www.vupen.com/english/advisories/2006/3820
Site en construction
-
http://www.vupen.com/english/advisories/2006/4019
Site en construction
-
http://www.securityfocus.com/bid/20247
-
http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
Products, Solutions, and Services - Cisco
-
http://docs.info.apple.com/article.html?artnum=304829
-
http://openvpn.net/changelog.html
Changelog For OpenVPN 2.1 | OpenVPN
-
http://www.securityfocus.com/archive/1/447393/100/0/threaded
-
http://www.securityfocus.com/archive/1/447318/100/0/threaded
-
http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
[Full-Disclosure] Mailing List Charter
-
http://www.vupen.com/english/advisories/2006/4327
Site en construction
-
http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
-
http://support.attachmate.com/techdocs/2374.html
Tech Note Not Available
-
http://www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf
-
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
Page not found
-
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
-
http://www.vupen.com/english/advisories/2006/4264
Site en construction
-
http://www.vmware.com/security/advisories/VMSA-2008-0005.html
Support Content Notification - Support Portal - Broadcom support portal
-
http://www.vupen.com/english/advisories/2006/4401
Site en construction
-
http://marc.info/?l=bugtraq&m=130497311408250&w=2
'[security bulletin] HPSBOV02683 SSRT090208 rev.1 - HP Secure Web Server (SWS) for OpenVMS running Ap' - MARC
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:178
Mandriva
-
http://security.gentoo.org/glsa/glsa-200610-11.xml
OpenSSL: Multiple vulnerabilities (GLSA 200610-11) — Gentoo security
-
http://openbsd.org/errata.html#openssl2
OpenBSD: Errata and Patches
-
http://www.vupen.com/english/advisories/2007/1401
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://www.vupen.com/english/advisories/2007/2783
Site en construction
-
http://securitytracker.com/id?1017522
Access Denied
-
http://www.us-cert.gov/cas/techalerts/TA06-333A.html
Page Not Found | CISAUS Government Resource
-
https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
-
http://www.vupen.com/english/advisories/2006/4329
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://www.securityfocus.com/bid/28276
-
http://www.vmware.com/support/player/doc/releasenotes_player.html
Page not found
-
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
Page not found
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
The Slackware Linux Project: Slackware Security Advisories
-
http://www.vupen.com/english/advisories/2006/4750
Site en construction
-
http://www.ubuntu.com/usn/usn-353-1
USN-353-1: openssl vulnerabilities | Ubuntu security notices | Ubuntu
-
http://www.vupen.com/english/advisories/2007/2315
Site en construction
-
http://www.serv-u.com/releasenotes/
Success Center
-
http://www.securityfocus.com/archive/1/489739/100/0/threaded
-
http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
ASA-2006-260 HP-UX OpenSSL Denial of Service (DoS), Increase Privilige (HPSBUX02174)
-
http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
-
http://www.vupen.com/english/advisories/2008/2396
Site en construction
-
http://lists.vmware.com/pipermail/security-announce/2008/000008.html
502 Bad Gateway
-
http://www.vupen.com/english/advisories/2006/3860
Site en construction
-
http://www.vupen.com/english/advisories/2006/3869
Site en construction
-
http://www.vmware.com/support/server/doc/releasenotes_server.html
Page not found
-
http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
Page not found
-
http://www.redhat.com/support/errata/RHSA-2008-0629.html
Support
-
http://www.vupen.com/english/advisories/2006/4036
Site en construction
-
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
-
http://www.debian.org/security/2006/dsa-1185
Debian -- The Universal Operating System
-
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
Page not found
-
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
Page not found - SourceForge.net
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201534-1
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
-
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
ASA-2006-220 (RHSA-2006-0695)
-
http://www.vupen.com/english/advisories/2006/3902
Site en construction
Jump to