exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 16 of 16 RSS Feed

CVE-2008-0166

Status Candidate

Overview

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

Related Files

openid-dns.txt
Posted Aug 8, 2008
Authored by Ben Laurie

Various OpenID Providers (OPs) have TLS server certificates that use weak keys as a result of the Debian predictable random number generator vulnerability.

tags | advisory
systems | linux, debian
advisories | CVE-2008-3280, CVE-2008-0166, CVE-2008-1447
SHA-256 | 4ddd04a36c9b48f9c80e6563aa1fa71fc5a92fd3361f08a3b4f6e658063a2112
Ubuntu Security Notice 612-11
Posted Jun 18, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-11 - USN-612-3 addressed a weakness in OpenSSL certificate and key generation and introduced openssl-blacklist to aid in detecting vulnerable certificates and keys. This update adds RSA-4096 blacklists to the openssl-blacklist-extra package and adjusts openssl-vulnkey to properly handle RSA-4096 and higher moduli. by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

tags | advisory
systems | linux, debian, ubuntu
advisories | CVE-2008-0166
SHA-256 | 9ab362f3984723340c03bf044eb7c4c9e2612864e5b89ab2ca4ac38b110972b1
Ubuntu Security Notice 612-10
Posted Jun 13, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-10 - USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS with password protected certificates which caused OpenVPN to not start when used with applications such as NetworkManager.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2008-0166
SHA-256 | c3b72d16aa6118fc55173675b125dd7cd1a8cb994d62aaa5135fe8223eb9d24e
Ubuntu Security Notice 612-9
Posted Jun 13, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-9 - USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check Certificate Signing Requests, accept input from STDIN, and check moduli without a certificate. It was also discovered that additional moduli are vulnerable if generated with OpenSSL 0.9.8g or higher. While it is believed that there are few of these vulnerable moduli in use, this update includes updated RSA-1024 and RSA-2048 blacklists. RSA-512 blacklists are also included in the new openssl-blacklist-extra package.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2008-0166
SHA-256 | 6b39152d15d2e393478edc16a6f8b6180c8b6392791e69834fbc294e999cb484
haxssl.tgz
Posted May 29, 2008
Authored by hhp, Cody Tubbs

This Ruby code will test a specified Host's SSL certificate against the Debian-based blacklist of keys (RSA 2048 and DSA 1024) generated during the period where openssl on Debian-based installs suffered from a weakness in random number generation. Note that the blacklist is embedded in the code so the file is about 23 MB.

tags | tool, scanner, ruby
systems | linux, unix, debian
advisories | CVE-2008-0166
SHA-256 | 288124a67c707a0fcf89edfbedf7c4788dd853dd55871cba94ecfe308e0ea1ae
AST-2008-007.txt
Posted May 22, 2008
Authored by Mark Michelson | Site asterisk.org

Asterisk Project Security Advisory - Asterisk installations using cryptographic keys generated by Debian-based systems may be using a vulnerable implementation of OpenSSL.

tags | advisory
systems | linux, debian
advisories | CVE-2008-0166
SHA-256 | 9e1a273be0fa164aae613d72d1ac5770291a36e329b0ef6f8f88dc52d55212ae
Ubuntu Security Notice 612-7
Posted May 20, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-7 - USN-612-2 introduced protections for OpenSSH, related to the OpenSSL vulnerabilities addressed by USN-612-1. This update provides the corresponding updates for OpenSSH in Ubuntu 6.06 LTS. While the OpenSSL in Ubuntu 6.06 is not vulnerable, this update will block weak keys generated on systems that may have been affected themselves. A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

tags | advisory, vulnerability
systems | linux, debian, ubuntu
advisories | CVE-2008-0166
SHA-256 | b8a3d7140bb40c836f0c4783f297dddf48e4e0cd26ed7af88c52cbf6f4b50bf1
Debian Linux Security Advisory 1576-2
Posted May 19, 2008
Authored by Debian | Site debian.org

Debian Security Advisory 1576-2 - Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with options (such as "no-port-forwarding" or forced commands) were ignored by the new ssh-vulnkey tool introduced in openssh 1:4.3p2-9etch1 (see DSA 1576-1). This could cause some compromised keys not to be listed in ssh-vulnkey's output.

tags | advisory
systems | linux, debian
advisories | CVE-2008-0166
SHA-256 | 9a08d757026ded7307f939be069d89b9021ed7b39ce0e38b14bb5e3807dd48bc
Debian Linux Security Advisory 1576-1
Posted May 15, 2008
Authored by Debian | Site debian.org

Debian Security Advisory 1576-1 - The recently announced vulnerability in Debian's openssl package (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result, all user and host keys generated using broken versions of the openssl package must be considered untrustworthy, even after the openssl update has been applied.

tags | advisory
systems | linux, debian
advisories | CVE-2008-0166
SHA-256 | 5c110ac623d7c7d1b7fe0bd5c06529c3990e1bbe81f0d1236cca7116030765bc
Ubuntu Security Notice 612-6
Posted May 15, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-6 - USN-612-3 addressed a weakness in OpenSSL certificate and keys generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS and multi-client/server which caused OpenVPN to not start when using valid SSL certificates. It was also found that openssl-vulnkey from openssl-blacklist would fail when stderr was not available. This caused OpenVPN to fail to start when used with applications such as NetworkManager. A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

tags | advisory
systems | linux, debian, ubuntu
advisories | CVE-2008-0166
SHA-256 | 7e63bbffb37c33ccf090346f058368147f3c37390c6dfde931c397adaa21bff0
Ubuntu Security Notice 612-5
Posted May 15, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-5 - Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with options (such as "no-port-forwarding" or forced commands) were ignored by the new ssh-vulnkey tool introduced in OpenSSH (see USN-612-2). This could cause some compromised keys not to be listed in ssh-vulnkey's output. A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

tags | advisory
systems | linux, debian, ubuntu
advisories | CVE-2008-0166
SHA-256 | af17f8852f565befbd145d3612df917d7a2e55e49a8e8e765156d700e9d7e1e5
Ubuntu Security Notice 612-4
Posted May 15, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-4 - USN-612-1 fixed vulnerabilities in openssl. This update provides the corresponding updates for ssl-cert -- potentially compromised snake-oil SSL certificates will be regenerated. A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

tags | advisory, vulnerability
systems | linux, debian, ubuntu
advisories | CVE-2008-0166
SHA-256 | 4bb586ac471bbf5afdd3db8aca2a10418f0d0bee2f43094e75cb546a03f8f2f6
Ubuntu Security Notice 612-3
Posted May 13, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-3 - A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of shared encryption keys and SSL/TLS certificates in OpenVPN. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

tags | advisory
systems | linux, debian, ubuntu
advisories | CVE-2008-0166
SHA-256 | d1b51a7c86616452a841cab5c023851e85953537abe832637af6433873363015
Ubuntu Security Notice 612-2
Posted May 13, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-2 - A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems.

tags | advisory
systems | linux, debian, ubuntu
advisories | CVE-2008-0166
SHA-256 | a3fe7f7dd11d8ef80fad04e03042c734c5101a92993b5be8c41e700a460875f0
Debian Linux Security Advisory 1571-1
Posted May 13, 2008
Authored by Debian | Site debian.org

Debian Security Advisory 1571-1 - Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package. As a result, cryptographic key material may be guessable. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.

tags | advisory
systems | linux, debian
advisories | CVE-2008-0166
SHA-256 | 32b6972f4816a9a80732fc9314dabd27a27224f039be6fcb0e57b1864547041e
Ubuntu Security Notice 612-1
Posted May 13, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 612-1 - A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems.

tags | advisory
systems | linux, debian, ubuntu
advisories | CVE-2008-0166
SHA-256 | 6c4648317e23f3b49406c8b43ef224fe90853ce862ab7fac1f14108cbfcd81ca
Page 1 of 1
Back1Next

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close