Executive Summary
Summary | |
---|---|
Title | Debian and Ubuntu OpenSSL packages contain a predictable random number generator |
Informations | |||
---|---|---|---|
Name | VU#925211 | First vendor Publication | 2008-05-15 |
Vendor | VU-CERT | Last vendor Modification | 2008-06-03 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#925211Debian and Ubuntu OpenSSL packages contain a predictable random number generatorOverviewA vulnerability in the OpenSSL package included with the Debian GNU/Linux operating system and its derivatives may cause weak cryptographic keys to be generated.I. DescriptionA weakness exists in the random number generator used by the OpenSSL package included with the Debian GNU/Linux operating system and derivative systems that causes the generated numbers to be predictable. As a result of this weakness, certain encryption keys are much more common than they should be. This vulnerability affects cryptographic applications that use keys generated by the flawed versions of the OpenSSL package. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Any of these keys generated using the affected systems on or after 2006-09-17 may be vulnerable. Keys generated with GnuPG or GNUTLS on the affected systems are not vulnerable because these applications use their own random number generators and not the one from the flawed version of OpenSSL.Note that this vulnerability is specific to Debian, Ubuntu Linux and other Debian-derived operating systems. Other systems can be indirectly affected if weak keys generated by the vulnerable systems are imported into them.
References
Thanks to Florian Weimer of the Debian security team for reporting this vulnerability. Debian, in turn, credits Luciano Bello with discovering this issue. This document was written by Chad R Dougherty.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/925211 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-59 | Session Credential Falsification through Prediction |
CAPEC-112 | Brute Force |
CAPEC-281 | Analytic Attacks |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-338 | Use of Cryptographically Weak PRNG |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17595 | |||
Oval ID: | oval:org.mitre.oval:def:17595 | ||
Title: | USN-612-3 -- openvpn vulnerability | ||
Description: | Once the update is applied, weak shared encryption keys and SSL/TLS certificates will be rejected where possible (though they cannot be detected in all cases). | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-3 CVE-2008-0166 | Version: | 7 |
Platform(s): | Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | openvpn |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17688 | |||
Oval ID: | oval:org.mitre.oval:def:17688 | ||
Title: | USN-612-1 -- openssl vulnerability | ||
Description: | A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-1 CVE-2008-0166 | Version: | 7 |
Platform(s): | Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17770 | |||
Oval ID: | oval:org.mitre.oval:def:17770 | ||
Title: | USN-612-2 -- openssh vulnerability | ||
Description: | A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-2 CVE-2008-0166 | Version: | 5 |
Platform(s): | Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | openssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17774 | |||
Oval ID: | oval:org.mitre.oval:def:17774 | ||
Title: | USN-612-4 -- ssl-cert vulnerability | ||
Description: | USN-612-1 fixed vulnerabilities in openssl. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-4 CVE-2008-0166 | Version: | 7 |
Platform(s): | Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | ssl-cert |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17807 | |||
Oval ID: | oval:org.mitre.oval:def:17807 | ||
Title: | USN-612-7 -- openssh update | ||
Description: | USN-612-2 introduced protections for OpenSSH, related to the OpenSSL vulnerabilities addressed by USN-612-1. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-612-7 CVE-2008-0166 | Version: | 5 |
Platform(s): | Ubuntu 6.06 | Product(s): | openssh |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-03-23 | Name : Ubuntu Update for openssh vulnerability USN-612-2 File : nvt/gb_ubuntu_USN_612_2.nasl |
2009-03-23 | Name : Ubuntu Update for openvpn vulnerability USN-612-3 File : nvt/gb_ubuntu_USN_612_3.nasl |
2009-03-23 | Name : Ubuntu Update for ssl-cert vulnerability USN-612-4 File : nvt/gb_ubuntu_USN_612_4.nasl |
2009-03-23 | Name : Ubuntu Update for openssh update USN-612-7 File : nvt/gb_ubuntu_USN_612_7.nasl |
2008-09-04 | Name : USN-612-1 through USN-612-11: OpenSSL vulnerability (openssl) File : nvt/ubuntu_usn-612.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1571-1 (openssl) File : nvt/deb_1571_1.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1576-1 (openssh) File : nvt/deb_1576_1.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1576-2 (openssh) File : nvt/deb_1576_2.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
45503 | Ubuntu Linux ssh-vulnkey authorized_keys Unspecified Options Key Guessing Wea... |
45029 | OpenSSL on Debian/Ubuntu Linux Predictable Random Number Generator (RNG) Cryp... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-03-09 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-612-1.nasl - Type : ACT_GATHER_INFO |
2013-03-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-612-2.nasl - Type : ACT_GATHER_INFO |
2008-05-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-612-7.nasl - Type : ACT_GATHER_INFO |
2008-05-19 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1576.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-612-3.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-612-4.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-612-5.nasl - Type : ACT_GATHER_INFO |
2008-05-15 | Name : The remote SSH host is set up to accept authentication with weak Debian SSH k... File : ssh_debian_find_weak_keys.nasl - Type : ACT_GATHER_INFO |
2008-05-15 | Name : The remote SSL certificate uses a weak key. File : ssl_debian_weak.nasl - Type : ACT_GATHER_INFO |
2008-05-14 | Name : The remote SSH host keys are weak. File : ssh_debian_weak.nasl - Type : ACT_GATHER_INFO |
2008-05-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1571.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-01-30 13:25:35 |
|
2013-05-11 00:57:29 |
|