ID CVE-2008-0166
Summary OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
References
Vulnerable Configurations
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-1:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-1:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-2:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-2:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-3:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-3:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-4:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-4:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-5:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-5:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-6:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-6:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-7:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-7:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-8:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-8:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8c-9:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8c-9:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-1:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-1:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-2:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-2:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-3:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-3:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-4:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-4:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-5:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-5:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-6:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-6:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-7:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-7:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-8:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-8:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8d-9:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8d-9:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-1:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-1:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-2:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-2:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-3:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-3:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-4:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-4:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-5:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-5:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-6:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-6:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-7:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-7:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-8:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-8:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8e-9:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8e-9:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-1:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-1:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-2:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-2:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-3:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-3:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-4:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-4:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-5:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-5:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-6:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-6:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-7:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-7:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-8:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-8:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8f-9:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8f-9:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-1:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-1:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-2:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-2:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-3:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-3:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-4:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-4:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-5:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-5:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-6:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-6:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-7:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-7:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-8:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-8:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl_project:openssl:0.9.8g-9:*:*:*:*:*:*:*
    cpe:2.3:a:openssl_project:openssl:0.9.8g-9:*:*:*:*:*:*:*
CVSS
Base: 7.8 (as of 15-10-2018 - 21:58)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:C/I:N/A:N
refmap via4
bid 29179
bugtraq 20080515 Debian generated SSH-Keys working exploit
cert TA08-137A
cert-vn VU#925211
debian
  • DSA-1571
  • DSA-1576
exploit-db
  • 5622
  • 5632
  • 5720
misc http://metasploit.com/users/hdm/tools/debian-openssl/
mlist [rsyncrypto-devel] 20080523 Advisory - Rsyncrypto maybe affected from Debian OpenSSL reduced entropy problem
sectrack 1020017
secunia
  • 30136
  • 30220
  • 30221
  • 30231
  • 30239
  • 30249
ubuntu
  • USN-612-1
  • USN-612-2
  • USN-612-3
  • USN-612-4
  • USN-612-7
xf openssl-rng-weak-security(42375)
statements via4
contributor Mark J Cox
lastmodified 2008-05-13
organization Red Hat
statement Not vulnerable. This flaw was caused by a third-party vendor patch to the OpenSSL library. This patch has never been used by Red Hat, and this issue therefore does not affect any Fedora, Red Hat, or upstream supplied OpenSSL packages.
Last major update 15-10-2018 - 21:58
Published 13-05-2008 - 17:20
Back to Top