Executive Summary
Summary | |
---|---|
Title | openssl weak default configuration |
Informations | |||
---|---|---|---|
Name | USN-179-1 | First vendor Publication | 2005-09-09 |
Vendor | Ubuntu | Last vendor Modification | 2005-09-09 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: openssl The problem can be corrected by upgrading the affected package to version 0.9.7d-3ubuntu0.2 (for Ubuntu 4.10), or 0.9.7e-3ubuntu0.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The current default algorithm for creating "message digests" (electronic signatures) for certificates created by openssl is MD5. However, this algorithm is not deemed secure any more, and some practical attacks have been demonstrated which could allow an attacker to forge certificates with a valid certification authority signature even if he does not know the secret CA signing key. Therefore all Ubuntu versions of openssl have now been changed to use SHA-1 by default. This is a more appropriate default algorithm for the majority of use cases; however, if you still want to use MD5 as default, you can revert this change by changing the two instances of "default_md = sha1" to "default_md = md5" in /etc/ssl/openssl.cnf. A detailed explanation and further links can be found at http://www.cits.rub.de/MD5Collisions/ |
Original Source
Url : http://www.ubuntu.com/usn/USN-179-1 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-20 | Encryption Brute Forcing |
CAPEC-97 | Cryptanalysis |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
19660 | OpenSSL Default Algorithm MD5 Weak Digest Encryption |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-01-04 | Name : The default configuration of OpenSSL on the remote server uses a weak hash al... File : openssl_0_9_8.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-179-1.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-179.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:01:48 |
|