Executive Summary
Summary | |
---|---|
Title | Debian/Ubuntu OpenSSL Random Number Generator Vulnerability |
Informations | |||
---|---|---|---|
Name | TA08-137A | First vendor Publication | 2008-05-16 |
Vendor | US-CERT | Last vendor Modification | 2008-05-16 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability in the OpenSSL package included with the Debian GNU/Linux operating system and its derivatives may cause weak cryptographic keys to be generated. Any package that uses the affected version of SSL could be vulnerable. I. Description A vulnerabiliity exists in the random number generator used by the OpenSSL package included with the Debian GNU/Linux, Ubuntu, and other Debian-based operating systems. This vulnerability causes the generated numbers to be predictable. The result of this error is that certain encryption keys are much more common than they should be. This vulnerability affects cryptographic applications that use keys generated by the flawed versions of the OpenSSL package. Affected keys include, but may not be limited to, SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 II. Impact A remote, unauthenticated attacker may be able to guess secret key material. The attacker may also be able to gain authenticated access to the system through the affected service or perform man-in-the-middle attacks. III. Solution Upgrade Debian and Ubuntu have released fixed versions of OpenSSL to address this issue. System administrators can use the ssh-vulnkey application to check for compromised or weak SSH keys. After applying updates, clients using weak keys may be refused by servers. Workaround Until updates can be applied, administrators and users are encouraged to restrict access to vulnerable servers. Debian- and Ubuntu-based systems can use iptables, iptables configuration tools, or tcp-wrappers to limit access. |
Original Source
Url : http://www.us-cert.gov/cas/techalerts/TA08-137A.html |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-59 | Session Credential Falsification through Prediction |
CAPEC-112 | Brute Force |
CAPEC-281 | Analytic Attacks |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-338 | Use of Cryptographically Weak PRNG |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17595 | |||
Oval ID: | oval:org.mitre.oval:def:17595 | ||
Title: | USN-612-3 -- openvpn vulnerability | ||
Description: | Once the update is applied, weak shared encryption keys and SSL/TLS certificates will be rejected where possible (though they cannot be detected in all cases). | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-3 CVE-2008-0166 | Version: | 7 |
Platform(s): | Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | openvpn |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17688 | |||
Oval ID: | oval:org.mitre.oval:def:17688 | ||
Title: | USN-612-1 -- openssl vulnerability | ||
Description: | A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-1 CVE-2008-0166 | Version: | 7 |
Platform(s): | Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17770 | |||
Oval ID: | oval:org.mitre.oval:def:17770 | ||
Title: | USN-612-2 -- openssh vulnerability | ||
Description: | A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-2 CVE-2008-0166 | Version: | 5 |
Platform(s): | Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | openssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17774 | |||
Oval ID: | oval:org.mitre.oval:def:17774 | ||
Title: | USN-612-4 -- ssl-cert vulnerability | ||
Description: | USN-612-1 fixed vulnerabilities in openssl. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-4 CVE-2008-0166 | Version: | 7 |
Platform(s): | Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | ssl-cert |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17807 | |||
Oval ID: | oval:org.mitre.oval:def:17807 | ||
Title: | USN-612-7 -- openssh update | ||
Description: | USN-612-2 introduced protections for OpenSSH, related to the OpenSSL vulnerabilities addressed by USN-612-1. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-7 CVE-2008-0166 | Version: | 5 |
Platform(s): | Ubuntu 6.06 | Product(s): | openssh |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-03-23 | Name : Ubuntu Update for openssh vulnerability USN-612-2 File : nvt/gb_ubuntu_USN_612_2.nasl |
2009-03-23 | Name : Ubuntu Update for openvpn vulnerability USN-612-3 File : nvt/gb_ubuntu_USN_612_3.nasl |
2009-03-23 | Name : Ubuntu Update for ssl-cert vulnerability USN-612-4 File : nvt/gb_ubuntu_USN_612_4.nasl |
2009-03-23 | Name : Ubuntu Update for openssh update USN-612-7 File : nvt/gb_ubuntu_USN_612_7.nasl |
2008-09-04 | Name : USN-612-1 through USN-612-11: OpenSSL vulnerability (openssl) File : nvt/ubuntu_usn-612.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1571-1 (openssl) File : nvt/deb_1571_1.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1576-1 (openssh) File : nvt/deb_1576_1.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1576-2 (openssh) File : nvt/deb_1576_2.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
45503 | Ubuntu Linux ssh-vulnkey authorized_keys Unspecified Options Key Guessing Wea... |
45029 | OpenSSL on Debian/Ubuntu Linux Predictable Random Number Generator (RNG) Cryp... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-03-09 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-612-1.nasl - Type : ACT_GATHER_INFO |
2013-03-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-612-2.nasl - Type : ACT_GATHER_INFO |
2008-05-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-612-7.nasl - Type : ACT_GATHER_INFO |
2008-05-19 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1576.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-612-3.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-612-4.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-612-5.nasl - Type : ACT_GATHER_INFO |
2008-05-15 | Name : The remote SSH host is set up to accept authentication with weak Debian SSH k... File : ssh_debian_find_weak_keys.nasl - Type : ACT_GATHER_INFO |
2008-05-15 | Name : The remote SSL certificate uses a weak key. File : ssl_debian_weak.nasl - Type : ACT_GATHER_INFO |
2008-05-14 | Name : The remote SSH host keys are weak. File : ssh_debian_weak.nasl - Type : ACT_GATHER_INFO |
2008-05-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1571.nasl - Type : ACT_GATHER_INFO |