CVE-2006-2940 — Openssl vulnerability

CWE-39919 documents11 sources

Severity

7.8HIGHNVD

NVD5.4NVD5.0

EPSS

2.9%

top 13.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Apple MAC OS X +2 more

Timeline

PublishedSep 28

Latest updateDec 29

Description

OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages6 packages

▶debiandebian/openssl< openssl 0.9.8c-2 (bookworm)

▶Debianopenssl/openssl< 0.9.8c-2+3

▶NVDopenssl/openssl37 versions+36

▶NVDapple/mac_os_x9 versions+8

▶vmwarevmware/vmware_fusion

🔴Vulnerability Details

GHSA

GHSA-6qr5-8633-2jmp: OpenSSL 0↗2022-05-03

▶

GHSA

GHSA-4qpr-78cg-wp5p: Intoto iGateway VPN and iGateway SSL-VPN allow context-dependent attackers to cause a denial of service (CPU consumption) via parasitic public keys wi↗2022-05-01

▶

GHSA

GHSA-2hqc-9p94-56j8: The Security Framework in Apple Mac OS X 10↗2022-05-01

▶

OSV

CVE-2006-2940: OpenSSL 0↗2006-09-28

▶

📋Vendor Advisories

VMware

Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line↗2008-03-17

▶

Cisco

Multiple Vulnerabilities in OpenSSL Library↗2006-11-08

▶

Ubuntu

OpenSSL vulnerability↗2006-10-05

▶

Ubuntu

openssl vulnerabilities↗2006-09-29

▶

BSD

FreeBSD-SA-06:23.openssl: Multiple problems in crypto(3)↗2006-09-28

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2006-2940 openssl public key DoS↗2008-01-29

▶

Bugzilla

CVE-2006-3738 OpenSSL issues (CVE-2006-4343, CVE-2006-2940, CVE-2006-2937, CVE-2006-4339)↗2006-10-03

▶

Bugzilla

openssl - patch for CVE-2006-2940 Parasitic Public Keys has issues↗2006-10-01

▶

Bugzilla

CVE-2006-2940 OpenSSL Parasitic Public Keys↗2006-09-20

▶