• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: RSAREF Buffer Overflow Vulnerability

Severity: HIGH

Description:

A buffer overflow vulnerability exists in the RSAREF cryptographic library which may possibly make any software using the library vulnerable.

The vulnerability exists in four functions in the rsa.c source file. The functions are:

int RSAPublicEncrypt()
int RSAPrivateEncrypt()
int RSAPublicDecrypt()
int RSAPrivateDecrypt()

All these function define a local variable called pkcsBlock of 128 byte length which can be overflowed making it possible to execute arbitrary code.

This vulnerability, in conbination with BUGTRAQ ID 797, allows versions of both the SSH client and server linked against the RSAREF2 library to be vulnerable to a remote exploit.

Programs linked against the SSLeay and OpenSSL libraries are not vulnerable as these libraries check the modulus lenght is not longer than what the RSAREF library can handle (MAX_RSA_MODULUS_LEN) in the RSAref_Public_eay2ref() and RSAref_Private_eay2ref() glue functions.

Affected Products:

• OpenSSL Project OpenSSL 0.9.4
• RSA Security RSAREF 2.0.0
• Robert O'Callahan TTSSH 1.1.0
• Robert O'Callahan TTSSH 1.2.0
• Robert O'Callahan TTSSH 1.3.0
• Robert O'Callahan TTSSH 1.4.0
• Robert O'Callahan TTSSH 1.5.0
• Robert O'Callahan TTSSH 1.5.1
• SSH Communications Security SSH 1.2.1
• SSH Communications Security SSH 1.2.10
• SSH Communications Security SSH 1.2.11
• SSH Communications Security SSH 1.2.12
• SSH Communications Security SSH 1.2.13
• SSH Communications Security SSH 1.2.14
• SSH Communications Security SSH 1.2.15
• SSH Communications Security SSH 1.2.16
• SSH Communications Security SSH 1.2.17
• SSH Communications Security SSH 1.2.18
• SSH Communications Security SSH 1.2.19
• SSH Communications Security SSH 1.2.2
• SSH Communications Security SSH 1.2.20
• SSH Communications Security SSH 1.2.21
• SSH Communications Security SSH 1.2.22
• SSH Communications Security SSH 1.2.23
• SSH Communications Security SSH 1.2.24
• SSH Communications Security SSH 1.2.25
• SSH Communications Security SSH 1.2.26
• SSH Communications Security SSH 1.2.27
• SSH Communications Security SSH 1.2.3
• SSH Communications Security SSH 1.2.4
• SSH Communications Security SSH 1.2.5
• SSH Communications Security SSH 1.2.6
• SSH Communications Security SSH 1.2.7
• SSH Communications Security SSH 1.2.8
• SSH Communications Security SSH 1.2.9
• SSLeay SSLeay 0.9.1

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.