FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSL -- CMS and S/MIME Bleichenbacher attack

Affected packages
openssl < 1.0.0_10

Details

VuXML ID 60eb344e-6eb1-11e1-8ad7-00e0815b8da8
Discovery 2012-03-12
Entry 2012-03-15

The OpenSSL Team reports:

A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA).

Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages.

SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code.

References

CVE Name CVE-2012-0884
URL http://www.openssl.org/news/secadv_20120312.txt