Mozilla Foundation Security Advisory 2006-60

RSA Signature Forgery

Announced
September 14, 2006
Reporter
Philip Mackenzie, Marius Schilder
Impact
Critical
Products
Firefox, NSS, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.5.0.7
  • NSS 3.11.3
  • SeaMonkey 1.0.5
  • Thunderbird 1.5.0.7

Description

Philip Mackenzie and Marius Schilder of Google informed us of Daniel Bleichenbacher's recent presentation of a common implementation error in RSA signature verification, a failure to account for extra data in the signature. For signatures with a small exponent such as 3 it is possible for an attacker to calculate a value for this extra data to make an altered message appear to be correctly signed, allowing the signature to be forged. Mozilla's Network Security Services (NSS) library was vulnerable to this flaw.

Because the set of root Certificate Authorities that ship with Mozilla clients contain some with an exponent of 3 it was possible to make up certificates, such as SSL/TLS and email certificates, that were not detected as invalid. This raised the possibility of the sort of Man-in-the-Middle attacks SSL/TLS was invented to prevent.

We thank Philip Mackenzie and Marius Schilder for bringing this result to our attention and working with us to ensure the NSS library was safe from variations on this basic attack.

Workaround

None, upgrade to a fixed version.

References