National Vulnerability Database (NVD) National Vulnerability Database (CVE-2008-0166)

National Cyber-Alert System

Vulnerability Summary for CVE-2008-0166

Original release date:05/13/2008

Last revised:02/21/2009

Source: US-CERT/NIST

Overview

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:7.8 (HIGH) (AV:N/AC:L/Au:N/C:C/I:N/A:N) (legend)

Impact Subscore: 6.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information

Vendor Statments (disclaimer)

Official Statement from Red Hat (05/13/2008): Not vulnerable. This flaw was caused by a third-party vendor patch to the OpenSSL library. This patch has never been used by Red Hat, and this issue therefore does not affect any Fedora, Red Hat, or upstream supplied OpenSSL packages.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Technical Alert: TA08-137A

Name: TA08-137A

Hyperlink:http://www.us-cert.gov/cas/techalerts/TA08-137A.html

US-CERT Vulnerability Note: VU#925211

Name: VU#925211

Hyperlink:http://www.kb.cert.org/vuls/id/925211

External Source: UBUNTU

Name: USN-612-2

Type: Patch Information

Hyperlink:http://www.ubuntu.com/usn/usn-612-2

External Source: UBUNTU

Name: USN-612-1

Type: Patch Information

Hyperlink:http://www.ubuntu.com/usn/usn-612-1

External Source: DEBIAN

Name: DSA-1576

Type: Patch Information

Hyperlink:http://www.debian.org/security/2008/dsa-1576

External Source: DEBIAN

Name: DSA-1571

Type: Advisory; Patch Information

Hyperlink:http://www.debian.org/security/2008/dsa-1571

External Source: XF

Name: openssl-rng-weak-security(42375)

Hyperlink:http://xforce.iss.net/xforce/xfdb/42375

External Source: UBUNTU

Name: USN-612-7

Hyperlink:http://www.ubuntu.com/usn/usn-612-7

External Source: UBUNTU

Name: USN-612-4

Hyperlink:http://www.ubuntu.com/usn/usn-612-4

External Source: UBUNTU

Name: USN-612-3

Hyperlink:http://www.ubuntu.com/usn/usn-612-3

External Source: SECTRACK

Name: 1020017

Hyperlink:http://www.securitytracker.com/id?1020017

External Source: BID

Name: 29179

Hyperlink:http://www.securityfocus.com/bid/29179

External Source: BUGTRAQ

Name: 20080515 Debian generated SSH-Keys working exploit

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/492112/100/0/threaded

External Source: MILW0RM

Name: 5720

Hyperlink:http://www.milw0rm.com/exploits/5720

External Source: MILW0RM

Name: 5632

Hyperlink:http://www.milw0rm.com/exploits/5632

External Source: MILW0RM

Name: 5622

Hyperlink:http://www.milw0rm.com/exploits/5622

External Source: MLIST

Name: [rsyncrypto-devel] 20080523 Advisory - Rsyncrypto maybe affected from Debian OpenSSL reduced entropy problem

Hyperlink:http://sourceforge.net/mailarchive/forum.php?thread_name=48367252.7070603%40shemesh.biz&forum_name=rsyncrypto-devel

External Source: SECUNIA

Name: 30249

Type: Advisory

Hyperlink:http://secunia.com/advisories/30249

External Source: SECUNIA

Name: 30239

Type: Advisory

Hyperlink:http://secunia.com/advisories/30239

External Source: SECUNIA

Name: 30231

Type: Advisory

Hyperlink:http://secunia.com/advisories/30231

External Source: SECUNIA

Name: 30221

Type: Advisory

Hyperlink:http://secunia.com/advisories/30221

External Source: SECUNIA

Name: 30220

Type: Advisory

Hyperlink:http://secunia.com/advisories/30220

External Source: SECUNIA

Name: 30136

Type: Advisory

Hyperlink:http://secunia.com/advisories/30136

External Source: MISC

Name: http://metasploit.com/users/hdm/tools/debian-openssl/

Hyperlink:http://metasploit.com/users/hdm/tools/debian-openssl/

Vulnerable software and versions

Configuration 1

* cpe:/a:openssl_project:openssl:0.9.8c-1

* cpe:/a:openssl_project:openssl:0.9.8c-2

* cpe:/a:openssl_project:openssl:0.9.8c-3

* cpe:/a:openssl_project:openssl:0.9.8c-4

* cpe:/a:openssl_project:openssl:0.9.8c-5

* cpe:/a:openssl_project:openssl:0.9.8c-6

* cpe:/a:openssl_project:openssl:0.9.8c-7

* cpe:/a:openssl_project:openssl:0.9.8c-8

* cpe:/a:openssl_project:openssl:0.9.8c-9

* cpe:/a:openssl_project:openssl:0.9.8d-1

* cpe:/a:openssl_project:openssl:0.9.8d-2

* cpe:/a:openssl_project:openssl:0.9.8d-3

* cpe:/a:openssl_project:openssl:0.9.8d-4

* cpe:/a:openssl_project:openssl:0.9.8d-5

* cpe:/a:openssl_project:openssl:0.9.8d-6

* cpe:/a:openssl_project:openssl:0.9.8d-7

* cpe:/a:openssl_project:openssl:0.9.8d-8

* cpe:/a:openssl_project:openssl:0.9.8d-9

* cpe:/a:openssl_project:openssl:0.9.8e-1

* cpe:/a:openssl_project:openssl:0.9.8e-2

* cpe:/a:openssl_project:openssl:0.9.8e-3

* cpe:/a:openssl_project:openssl:0.9.8e-4

* cpe:/a:openssl_project:openssl:0.9.8e-5

* cpe:/a:openssl_project:openssl:0.9.8e-6

* cpe:/a:openssl_project:openssl:0.9.8e-7

* cpe:/a:openssl_project:openssl:0.9.8e-8

* cpe:/a:openssl_project:openssl:0.9.8e-9

* cpe:/a:openssl_project:openssl:0.9.8f-1

* cpe:/a:openssl_project:openssl:0.9.8f-2

* cpe:/a:openssl_project:openssl:0.9.8f-3

* cpe:/a:openssl_project:openssl:0.9.8f-4

* cpe:/a:openssl_project:openssl:0.9.8f-5

* cpe:/a:openssl_project:openssl:0.9.8f-6

* cpe:/a:openssl_project:openssl:0.9.8f-7

* cpe:/a:openssl_project:openssl:0.9.8f-8

* cpe:/a:openssl_project:openssl:0.9.8f-9

* cpe:/a:openssl_project:openssl:0.9.8g-1

* cpe:/a:openssl_project:openssl:0.9.8g-2

* cpe:/a:openssl_project:openssl:0.9.8g-3

* cpe:/a:openssl_project:openssl:0.9.8g-4

* cpe:/a:openssl_project:openssl:0.9.8g-5

* cpe:/a:openssl_project:openssl:0.9.8g-6

* cpe:/a:openssl_project:openssl:0.9.8g-7

* cpe:/a:openssl_project:openssl:0.9.8g-8

* cpe:/a:openssl_project:openssl:0.9.8g-9

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Cryptographic Issues (CWE-310)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166