Executive Summary

Title MD5 vulnerable to collision attacks
NameVU#836068First vendor Publication2008-12-31
VendorVU-CERTLast vendor Modification2009-01-21
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#836068

MD5 vulnerable to collision attacks


Weaknesses in the MD5 algorithm allow for collisions in output. As a result, attackers can generate cryptographic tokens or other data that illegitimately appear to be authentic.

I. Description

A secure cryptographic hash algorithm is one that generates a unique identifier of a fixed size (known as a "digest" or simply "hash") for a block of data of arbitrary size. The MD5 algorithm is a standard, widely used example of such an algorithm and is defined in IETF RFC 1321. One of the requirements of secure cryptographic hash algorithms is that it be extremely unlikely for two different inputs to the algorithm to generate the same digest. This property is generally referred to as collision resistance and cases where an algorithm generates the same digest for two different blocks of data are known as collisions.

Cryptanalytic research published in 1996 described a weakness in the MD5 algorithm that could result in collision attacks, at least in principle. Further research published in 2004 demonstrated the practical ability for an attacker to generate collisions and in 2005 the ability for an attacker to generate colliding x.509 certificates was demonstrated. In 2008, researchers demonstrated the practical vulnerability of Public Key Infrastructures (PKI) to such attacks, including the construction of an SSL certificate that allows an attacker to impersonate a trusted root Certificate Authority (CA). Most operating systems bundle a collection of trusted CA certificates, including some that use the MD5 signing algorithm, providing obvious targets for attackers to spoof.

II. Impact

An attacker can construct forged data in a variety of forms that will cause software using the MD5 algorithm to incorrectly identify it as trustworthy. Because the underlying vulnerability occurs in a cryptographic primitive, specific exploitation scenarios vary widely depending on the nature of the data the attacker has the ability to spoof and how it is validated by software. In a particularly egregious vulnerability scenario, a victim user may be mislead into supplying sensitive information to a malicious website believing that it is authentic based on an apparently valid signed SSL certificate.

III. Solution

We are currently unaware of a practical solution to this problem.

Do not use the MD5 algorithm
Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.

Scrutinize SSL certificates signed by certificates using the MD5 algorithm
Users may wish to manually analyze the properties of web site certificates that are signed by signing certificates using the MD5 algorithm. The procedures for accessing certificate details differ depending on the software in use but the signature algorithm is often identified in the "Signature algorithm", "Certificate Signature Algorithm", or similarly named field. Users of systems with the OpenSSL command line utility can view certificate properties using "openssl x509 -text" or a similar utility. Certificates listed as md5RSA or similar are affected. Such certificates that include strange or suspicious fields or other anomalies may be fraudulent. Because there are no reliable signs of tampering it must be noted that this workaround is error-prone and impractical for most users.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationUnknown2008-12-31
Verisign Unknown2008-12-31




A number of individuals have previously published research on collision vulnerabilities in MD5 including but not limited to: Hans Dobbertin, Xiaoyun Wang, Hongbo Yu, Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, Dan Kaminsky, and Gerardo Richarte.

This document was written by Chad R Dougherty.

Other Information

Date Public:2008-12-30
Date First Published:2008-12-31
Date Last Updated:2009-01-21
CERT Advisory:
US-CERT Technical Alerts:
Document Revision:13

Original Source

Url : http://www.kb.cert.org/vuls/id/836068

CWE : Common Weakness Enumeration

CWE-310Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13231
Oval ID: oval:org.mitre.oval:def:13231
Title: USN-740-1 -- nss, firefox vulnerability
Description: The MD5 algorithm is known not to be collision resistant
Family: unix Class: patch
Reference(s): USN-740-1
Version: 5
Platform(s): Ubuntu 7.10
Ubuntu 8.04
Ubuntu 6.06
Ubuntu 8.10
Product(s): nss
Definition Synopsis:

CPE : Common Platform Enumeration


OpenVAS Exploits

2009-03-20Name : Ubuntu USN-735-1 (gst-plugins-base0.10)
File : nvt/ubuntu_735_1.nasl
2009-03-20Name : Ubuntu USN-736-1 (gst-plugins-good0.10)
File : nvt/ubuntu_736_1.nasl
2009-03-20Name : Ubuntu USN-737-1 (libsoup)
File : nvt/ubuntu_737_1.nasl
2009-03-20Name : Ubuntu USN-739-1 (amarok)
File : nvt/ubuntu_739_1.nasl
2009-03-20Name : Ubuntu USN-740-1 (firefox)
File : nvt/ubuntu_740_1.nasl
2009-02-10Name : Fedora Core 9 FEDORA-2009-1276 (nss)
File : nvt/fcore_2009_1276.nasl
2009-02-10Name : Fedora Core 10 FEDORA-2009-1291 (nss)
File : nvt/fcore_2009_1291.nasl

Open Source Vulnerability Database (OSVDB)

45127MD5 Algorithm Hash Function Collision Weakness

Nessus® Vulnerability Scanner

2009-04-23Name : The remote Fedora host is missing a security update.
File : fedora_2009-1291.nasl - Type : ACT_GATHER_INFO
2009-04-23Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-740-1.nasl - Type : ACT_GATHER_INFO
2009-02-05Name : The remote Fedora host is missing a security update.
File : fedora_2009-1276.nasl - Type : ACT_GATHER_INFO
2009-01-05Name : An SSL certificate in the certificate chain has been signed using a weak hash...
File : ssl_weak_hash.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
2014-02-17 12:08:12
  • Multiple Updates
2013-05-11 12:26:45
  • Multiple Updates