1. CVE-Search
  2. CVE-2011-3599
ID CVE-2011-3599
Summary The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack.
References
Vulnerable Configurations
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.01:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.01:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.02:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.02:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.03:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.03:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.10:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.11:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.12:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.13:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.14:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:0.15_01:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:0.15_01:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:1.16:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:1.16:*:*:*:*:*:*:*
  • cpe:2.3:a:adam_kennedy:crypt-dsa:*:*:*:*:*:*:*:*
    cpe:2.3:a:adam_kennedy:crypt-dsa:*:*:*:*:*:*:*:*
  • cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
    cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 21-10-2011 - 02:56)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
refmap via4
bid 49928
confirm https://bugzilla.redhat.com/show_bug.cgi?id=743567
misc https://rt.cpan.org/Public/Bug/Display.html?id=71421
mlist
  • [oss-security] 20111005 CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random
  • [oss-security] 20111005 Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random
osvdb 76025
secunia 46275
Last major update 21-10-2011 - 02:56
Published 10-10-2011 - 10:55
Last modified 21-10-2011 - 02:56
Back to Top