SA-20040802 GnuTLS certificate chain verification bug

• Previous message: Albert Puigsech Galicia: "7a69Adv#13 - USRobotics AP Wireless Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 2 Aug 2004 17:18:46 +0200
To: bugtraq@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================
Security advisory 20040802
- ----------------------------------------------------------------------
  Product: GnuTLS
  Vulnerability type: wrong algorithm
  Impact: DoS
  Severity: low
  Issue date: 2004/08/02
  Last updated: 2004/08/02
======================================================================

Description
- -----------

Mr. Hornik has discovered error in X.509 certificate chain
verification procedure in GnuTLS library. The certificate chain should
be verified from last root certificate to the first certificate.
Otherwise a lot of unauthorized CPU processing can be forced to check
certificate signatures signed with arbitrary RSA/DSA keys chosen by
attacker.

In GnuTLS the signatures are checked from first to last certificate,
there is no limit on size of keys and no limit on length of
certificate chain.

Vulnerability
- -------------

GnuTLS library checks the signatures from first to last root
certificate of chain, there is no limit on size of keys and no limit
on length of certificate chain. So attacker can construct such
certificate chain that signature signed with chosen RSA key with
chosen size will be verified. This is not the case when verifying from
last root certificate to first - there are checked signatures signed
by trusted certificates and so trusted keys only.

The main problem is that size of key can be chosen - with RSA keys the
complexity of verifying signature is dependent on square of key size.
So for example verifying signature signed with 32768 bit RSA key takes
approximately 1024 times longer than verifying signature signed with
1024 bit RSA key (with simillar bit length of e). Because RSA
verification is not simple operation with longer keys one verification
takes such significant amount of processing power that you can
effectively launch DoS on CPU resources of remote machine running
GnuTLS.

Who is affected?
- ----------------

Affected are all users using GnuTLS library version 1.0.16 and
below for verifying X.509 certificate chains.

The version 1.0.17 with this issue fixed by introducing some limits on
key size and chain length is available from vendor together with this
announcement.

Recommendations
- ---------------

Upgrade your GnuTLS library to the version 1.0.17 or later with this
issue fixed and restart all dependant applications if needed.

References
- ----------

This security advisory:
http://www.hornik.sk/SA/SA-20040802.txt

GnuTLS:
http://www.gnu.org/software/gnutls/

Contact
- -------

Patrik Hornik
- --
Email: patrik@hornik.sk
Phone: +421 905 385 666
PGP KeyID: 940AA357

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBQQ5KKp4J6KGUCqNXEQK5tACgo9/t1cSCvaihE1yy/N/wvPXCvowAoOlA
v0adXHcIJyrMsHlmmwVCC58v
=c6Re
-----END PGP SIGNATURE-----

• Previous message: Albert Puigsech Galicia: "7a69Adv#13 - USRobotics AP Wireless Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]