Firewall Wizards mailing list archives
RSAREF bug issues (was Re: Looking for "lease based popper access")
From: Bennett Todd <bet () mordor net>
Date: Wed, 15 Dec 1999 14:28:19 -0500
1999-12-13-12:50:43 R. DuFresne:
Has there been a patch released by the RSA folks to deal with it's recent failing? The impact of the RSA buffer overflow is that it affects all applications built around it's core, this includes ssh, ssl enabled webservers, etc.. Yep all those aplications built with RSA are now exploitable, so, has a pacht been released that addresses this and allows folks to patch RSAREF then rebuild all the applications that use it?
I think this note deserves a few comments. First off, yes, there has been a patch posted, the OpenBSD folks at least have released a patch, and maybe other folks have too I don't know, and the RSADSI folks have officially given permission to use this patch. RSADSI didn't release a patch themselves; they aren't programmers, they're just lawyers doing their day job of trying to prevent people from using good encryption. Second, the bug in question only affects the RSAREF code if it can be invoked in a hostile fashion; sufficient parm checking in the caller can protect this bug against a remote exploit. So independantly the OpenSSH folks had fixed their sshd so that this bug didn't end up producing an exploit for them. Third, the bug is only known to exist in the RSAREF code, which is known-bad code. RSADSI forces people within the US who want to use RSA for non-commercial purposes to use RSAREF. They sell a closed-source, proprietary BSAFE lib, which may or may not have similar problems (I'd guess it does, since they're not programmers). Most commercial secure web servers sold in the US are probably linked against BSAFE rather than RSAREF, so they may or may not be at risk, and then only if the SSL invoking code happens to be willing to pass the problem through the the library. And the RSA implementation in OpenSSL doesn't have this problem. Of course it may be a patent violation to use that RSA within the US for some purposes until Sep. 29, 2000. The above are all "to the best of my knowlege", but I figured I'd let all my ignorance hang out here, if I'm wrong on any of I'm sure I'll get corrected fast in this forum:-). -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: Looking for "lease based popper access" Rodney van den Oever (Dec 13)
- Re: Looking for "lease based popper access" sedwards (Dec 13)
- RE: Looking for "lease based popper access" Dom De Vitto (Dec 17)
- <Possible follow-ups>
- RE: Looking for "lease based popper access" Jan van Rensburg (Dec 13)
- RE: Looking for "lease based popper access" R. DuFresne (Dec 14)
- RSAREF Patch Leonard Miyata (Dec 15)
- RSAREF bug issues (was Re: Looking for "lease based popper access") Bennett Todd (Dec 15)
- Re: RSAREF bug issues (was Re: Looking for "lease based popper access") R. DuFresne (Dec 17)
- RE: Looking for "lease based popper access" R. DuFresne (Dec 14)
- Re: Looking for "lease based popper access" sedwards (Dec 13)
- RE: Looking for "lease based popper access" Jan van Rensburg (Dec 15)
- Re: Looking for "lease based popper access" Steven M. Bellovin (Dec 15)