CVE-2003-0131

An attacker opens millions of SSL/TLS connections to the target server, sending specially crafted RSA ciphertexts that use PKCS #1 v1.5 padding [ref_id=1]. By observing the server's behavior—specifically whether it returns a decryption error or a version-number error—the attacker can deduce information about the relationship between a chosen ciphertext and its corresponding plaintext [ref_id=1]. This information leakage effectively allows the attacker to perform a single unauthorized RSA private-key operation on a ciphertext of its choice, though the server's RSA key itself is not compromised [ref_id=1]. The attack requires no special privileges beyond network access to the server.

The vulnerability resides in the SSL/TLS server code within `s3_srvr.c`, specifically in the `ssl3_get_client_key_exchange` function. The patch targets two error-reporting paths: the RSA decryption length check and the protocol version number check. These paths previously emitted distinct SSL error alerts (`SSL_R_BAD_RSA_DECRYPT` and `SSL_R_BAD_PROTOCOL_VERSION_NUMBER`) that could be observed by an attacker.

The patch removes the distinct SSL error alerts that were previously emitted for RSA decryption failures and bad protocol version numbers, replacing them with silent handling that falls through to the existing countermeasure code [ref_id=1]. Specifically, the `SSLerr` calls for `SSL_R_BAD_RSA_DECRYPT` and `SSL_R_BAD_PROTOCOL_VERSION_NUMBER` are commented out, and the `goto f_err` that would abort the handshake on a version mismatch is removed [ref_id=1]. Instead, when any decryption error occurs, the server now generates a random pre-master secret (via `RAND_pseudo_bytes`) and continues the handshake normally, preventing the attacker from distinguishing between different error types and thereby closing the "bad version oracle" that the Klima-Pokorny-Rosa attack exploited [ref_id=1].

The advisory does not provide reproduction steps, and no public PoC is included in the bundle.