45029 : OpenSSL on Debian/Ubuntu Linux Predictable Random Number Generator (RNG) Cryptographic Key Generation Weakness
Printer | http://osvdb.org/45029 | Email This | Edit Vulnerability

Views This Week
17

Views All Time
541

Info

Last Modified
about 1 month ago

Percent Complete
45%

Disclosure
May 13, 2008

Discovery
Unknown

Dates

Exploit
May 14, 2008

Solution
Unknown

This Entry needs help! It is only 45% Complete. Click the edit link above to add more information.

Contributing is fast and easy, and benefits the entire security community.

Description

 (Description Provided by CVE) : OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

Classification

 Location: Local / Remote
Attack Type: Cryptographic
Impact: Loss of Integrity
Solution: Patch
Exploit: Exploit Available
Disclosure: Vendor Verified

Solution

 Currently, there are no known workarounds or upgrades to correct this issue. However, Debian and Ubuntu have released a patch to address this vulnerability.

Products

Unknown or Incomplete

References

Tools & Filters

Nessus

 32305 32321 32357

Credit

Unknown or Incomplete

Blogs

Provided by Technorati

2008/06/02 17:48:00 | debian and the openssl flaw

from: trivia

debian and the openssl flaw June 2nd, 2008 Ben Laurie wrote about the Debian SSL problem a couple of weeks ago ... (CVE-2008-0166). As a result, cryptographic key material may be guessable…….. affected keys include SSH keys

2008/05/23 13:50:27 | Recent Debian private key generation vulnerability

from: CAcert NEWS Blog

Recently discovered predictable RSA and DSA key generation vulnerabilities occurring in Debian OpenSSL packages[1][2]. As many Linux distributions are based of Debian derived distributions like the popular Ubuntu, Knoppix, Kubuntu distributions, there are a significant number of vulnerable RSA and DSA private keys around now

2008/05/22 23:31:46 | Scanner for Debian OpenSSL Vulnerability

from: System Advancements at the Monastery

Scanner for Debian OpenSSL Vulnerability May 22nd, 2008 by abbot [ Vulnerability] ... host keys as identified in CVE-2008-0166. The fingerprints are taken from keys generated by HD Moore’

2008/05/23 13:50:27 | Recent Debian private key generation fulnerability

from: CAcert NEWS Blog

Recently discovered predictable RSA and DSA key generation vulnerabilities occuring in Debian OpenSSL packages[1][2]. As many Linux distributions are based of Debian derived distributions like the popular Ubuntu, Knoppix, Kubuntu distributions, there are a significant number of vulnerable RSA and DSA private keys around now

2008/05/20 03:00:52 | DSA 1576-2: New openssh packages fix predictable randomness

from: Linux More

DSA 1576-2: New openssh packages fix predictable randomness   Posted by Daniela Mehler The Debian Security Team published a new ... type : remote Debian-specific: yes CVE Id(s) : CVE-2008-0166 Matt Zimmerman discovered

2008/05/19 18:08:15 | Debian OpenSSL Vulnerability

from: Scott Golightly's Blog

Debian OpenSSL Vulnerability I got this from an issue of the RISKS digest ... : In Mitre's CVE dictionary: CVE-2008-0166. More information: Luciano Bello discovered ... by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key

2008/05/19 08:01:23 | dsa-1576-1.txt

from: .::anti-abuse.com::.: Security Revealed

Debian Security Advisory 1576-1 - The recently announced vulnerability in Debian’s openssl package (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result, all user and host keys

2008/05/16 12:56:23 | Sun not impacted by OpenSSL random number generator weakness vulnerability (CVE-2008-0166)

from: Security

Sun is not affected by the OpenSSL random number generator weakness vulnerability described in CVE-2008-0166 and CERT Vulnerability Note VU#925211. The versions of OpenSSL bundled with Solaris 10

2008/05/16 16:28:14 | OpenSSL Vulnerability CVE-2008-0166

from: Netmonic Company Blog

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system

2008/05/13 21:58:03 | OpenSSL Vulnerability in Debian

from: Gert@X

OpenSSL Vulnerability in Debian May 13th, 2008 or Debian based distros! Like Ubuntu. I actually dont feel like blogging this, but . ... by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic

2008/05/13 21:27:30 | OpenSSH: Predictable PRNG in debian and ubuntu Linux

from: Don’t fear the penguin

Copying from SANS Internet Storm Center diary: Debian and Ubuntu Linux users should look into their OpenSSH setup. It turns out the used PRNG ( ... be enough to get the key itself compromised. CVE-2008-0166 Ubuntu: USN-612-1 Debian: DSA-1571-1

2008/05/13 20:47:08 | Debian OpenSSL Package Introduces Vulnerability

from: Pythian Group Blog

Debian OpenSSL Package Introduces Vulnerability May 13th, 2008 - by Don Seiler The highlight today of probably every Linux-related mailing list and IRC channel was the announcement of CVE-2008-0166, affecting OpenSSL libraries on Debian-based Linux

2008/05/13 19:05:19 | Debian OpenSSL Predictable Random Number Generator & Perl script

from: Marshall Mar -- The Blog

The media is currently overflown with this news. Debians openssl package included a patch that introduced a vulnerability to Debian systems and its ... change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may

2008/05/14 01:25:46 | openssl: predictable random number generator in key (Ubuntu/Debian DSA 1571-1)

from: rolfs.no: Experiencing weblogging

A predictability of the random number is not good. It makes the randomness predictable, which makes it just predictable ... . It is a Debian-specific remote vulnerability. It got CVE Id: CVE-2008-0166. Here is a perl script

2008/05/13 22:52:10 | Debian OpenSSL security advisory

from: linux.gen.nz

http://www.debian.org/security/2008/dsa-1571 “Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.” And “It is strongly recommended

2008/05/13 22:44:47 | OpenSSL Vulnerability in Debian

from: Views on Life

or Debian based distros! Like Ubuntu. I actually dont feel like blogging this, but .. I feel I should mention it ... change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may

2008/05/13 22:32:54 | Debian SSL/SSH key flaw!

from: On the way to inifinity

Debian SSL/SSH key flaw! Apparently the SSL crypto has a dubious and easily crackable method. This link is to a security advisory for Linux! ... =========================================================== Ubuntu Security Notice USN-612-1 May 13, 2008 openssl vulnerability CVE-2008-0166

2008/05/15 14:49:38 | SSH/SSL/VPN keys broken

from: Blog B

Now for a little trek into geek territory: A couple of days ago a vulnerability was found in the random number generators used to create secure SSH, ... ://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166 DSA: http://lists.debian.org/debian-security

2008/05/14 22:21:32 | security alert!

from: Sexiest tinfoil hat, ever!

For those of my friends running Debian, Ubuntu or a Debian derivative… or have keys that were generated on a Debian (or related) ... CVE-2008-0166 =========================================================== A weakness ... . (CVE-2008-0166) This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu

2008/05/14 22:00:11 | Deki Wiki VM Security Updates

from: MindTouch, Inc Blog

Since the 8.05 Jay Cooke VM release, Debian has announced several security updates which affect the Deki Wiki VM ... : The recently announced vulnerability in Debian’s openssl package (DSA-1571-1, CVE-2008-0166

2008/05/14 21:20:44 | ssh-vulnkey -a

from: MDLog:/sysadmin

Yesterday, 13 May 2008, was a really bad day for the Debian project, probably one of the worst days in the history of Debian. Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166

2008/05/14 11:56:42 | Debian.org Accounts Blocked Due To Recent OpenSSL Vulnerabilities

from: Daily cyber threats and internet security news

Debian.org Accounts Blocked Due To Recent OpenSSL Vulnerabilities Recently discovered weakness in debian OpenSSL’s random number generator, ... to the OpenSSL package (CVE-2008-0166). As a result, cryptographic key material may be guessable

2008/05/15 20:13:30 | Major Linux Vulnerability: Debian PRNG

from: Penguin in a Wheatfield

Major Linux Vulnerability: Debian PRNG May 15, 2008 by haytkir Two days ago this vulnerability was released: http://www.debian ... package (CVE-2008-0166). As a result, cryptographic key material may be guessable

Comments

Add Comment

No Comments.

DONATE NOW!

User Status

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use