ID CVE-2013-4442
Summary Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.
References
Vulnerable Configurations
  • pwgen project pwgen 2.06
    cpe:2.3:a:pwgen_project:pwgen:2.06
CVSS
Base: 5.0 (as of 10-09-2015 - 09:03)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16406.NASL
    description Update to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 79944
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79944
    title Fedora 21 : pwgen-2.07-1.fc21 (2014-16406)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16368.NASL
    description Update to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 79937
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79937
    title Fedora 20 : pwgen-2.07-1.fc20 (2014-16368)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16473.NASL
    description Update to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80063
    published 2014-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80063
    title Fedora 19 : pwgen-2.07-1.fc19 (2014-16473)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-008.NASL
    description Updated pwgen package fixes security vulnerabilities : Pwgen was found to generate weak non-tty passwords by default, which could be brute-forced with a commendable success rate, which could raise security concerns (CVE-2013-4440). Pwgen was found to silently falling back to use standard pseudo generated numbers on the systems that heavily use entropy. Systems, such as those with a lot of daemons providing encryption services, the entropy was found to be exhausted, which forces pwgen to fall back to use standard pseudo generated numbers (CVE-2013-4442).
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 80427
    published 2015-01-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80427
    title Mandriva Linux Security Advisory : pwgen (MDVSA-2015:008)
refmap via4
confirm
fedora
  • FEDORA-2014-16368
  • FEDORA-2014-16406
  • FEDORA-2014-16473
mandriva MDVSA-2015:008
misc https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672241
mlist
  • [oss-security] 20140606 Re: CVE Request: pwgen
  • [oss-security] 20141015 Re: RESEND: CVE Request: pwgen
Last major update 10-09-2015 - 11:27
Published 19-12-2014 - 10:59
Back to Top