Vulnerability Details : CVE-2006-2940
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
Vulnerability category: Denial of service
Exploit prediction scoring system (EPSS) score for CVE-2006-2940
Probability of exploitation activity in the next 30 days: 9.43%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 95 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2006-2940
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST |
CWE ids for CVE-2006-2940
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2006-2940
-
Red Hat 2007-03-14Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
- http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
-
http://www.novell.com/linux/security/advisories/2006_24_sr.html
Security - Support | SUSE
- http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
- http://www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:172
- http://www.debian.org/security/2006/dsa-1195
- http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
-
http://www.ubuntu.com/usn/usn-353-2
- http://www.vupen.com/english/advisories/2006/4980
- http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/29230
- http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
- http://www.vupen.com/english/advisories/2006/3936
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
- https://issues.rpath.com/browse/RPL-1633
- http://www.vupen.com/english/advisories/2008/0905/references
- http://www.novell.com/linux/security/advisories/2006_58_openssl.html
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-200585-1
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10311
- http://marc.info/?l=bind-announce&m=116253119512445&w=2
- http://www.vmware.com/support/player2/doc/releasenotes_player2.html
- http://www.vupen.com/english/advisories/2007/0343
-
http://www.redhat.com/support/errata/RHSA-2006-0695.html
Vendor Advisory
- http://www.securityfocus.com/bid/22083
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:177
- http://www.openssl.org/news/secadv_20060928.txt
- http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html
- http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
- http://www.securityfocus.com/archive/1/456546/100/200/threaded
-
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
VMware vSphere Documentation
- http://kolab.org/security/kolab-vendor-notice-11.txt
- http://issues.rpath.com/browse/RPL-613
- ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
- http://www.uniras.gov.uk/niscc/docs/re-20060928-00661.pdf?lang=en
- http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
- http://securitytracker.com/id?1016943
- http://www.vupen.com/english/advisories/2006/4417
-
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
VMware vSphere Documentation
- http://www.vupen.com/english/advisories/2006/3820
- http://www.vupen.com/english/advisories/2006/4019
-
http://www.securityfocus.com/bid/20247
- http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
- http://docs.info.apple.com/article.html?artnum=304829
- http://openvpn.net/changelog.html
- http://www.securityfocus.com/archive/1/447393/100/0/threaded
- http://www.securityfocus.com/archive/1/447318/100/0/threaded
- http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
- http://www.vupen.com/english/advisories/2006/4327
- http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
- http://support.attachmate.com/techdocs/2374.html
- http://www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf
- http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
- http://www.vupen.com/english/advisories/2006/4264
- http://www.vmware.com/security/advisories/VMSA-2008-0005.html
- http://www.vupen.com/english/advisories/2006/4401
-
http://marc.info/?l=bugtraq&m=130497311408250&w=2
'[security bulletin] HPSBOV02683 SSRT090208 rev.1 - HP Secure Web Server (SWS) for OpenVMS running Ap' - MARC
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:178
- http://security.gentoo.org/glsa/glsa-200610-11.xml
- http://openbsd.org/errata.html#openssl2
-
http://www.vupen.com/english/advisories/2007/1401
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
- http://www.vupen.com/english/advisories/2007/2783
- http://securitytracker.com/id?1017522
-
http://www.us-cert.gov/cas/techalerts/TA06-333A.html
US Government Resource
- https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
-
http://www.vupen.com/english/advisories/2006/4329
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
- http://www.securityfocus.com/bid/28276
- http://www.vmware.com/support/player/doc/releasenotes_player.html
- http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
- http://www.vupen.com/english/advisories/2006/4750
- http://www.ubuntu.com/usn/usn-353-1
- http://www.vupen.com/english/advisories/2007/2315
-
http://www.serv-u.com/releasenotes/
Success Center
- http://www.securityfocus.com/archive/1/489739/100/0/threaded
- http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
- http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
- http://www.vupen.com/english/advisories/2008/2396
- http://lists.vmware.com/pipermail/security-announce/2008/000008.html
- http://www.vupen.com/english/advisories/2006/3860
- http://www.vupen.com/english/advisories/2006/3869
- http://www.vmware.com/support/server/doc/releasenotes_server.html
- http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
- http://www.redhat.com/support/errata/RHSA-2008-0629.html
- http://www.vupen.com/english/advisories/2006/4036
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
- http://www.debian.org/security/2006/dsa-1185
- http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
- http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-201534-1
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
- http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
- http://www.vupen.com/english/advisories/2006/3902
- cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6l:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6m:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.3a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*