Vulnerability Name:

CVE-2008-0166 (CCN-42375)

Assigned:2008-05-13
Published:2008-05-13
Updated:2022-02-02
Summary:OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
CVSS v3 Severity:7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
6.4 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
6.4 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-310
Vulnerability Consequences:Other
References:Source: CCN
Type: BugTraq Mailing List, Thu May 15 2008 - 00:54:29 CDT
Debian generated SSH-Keys working exploit

Source: MITRE
Type: CNA
CVE-2008-0166

Source: CCN
Type: AST-2008-007
Asterisk installations using cryptographic keys generated by Debian-based systems may be using a vulnerable implementation of OpenSSL

Source: MISC
Type: Broken Link
http://metasploit.com/users/hdm/tools/debian-openssl/

Source: SECUNIA
Type: Vendor Advisory
30136

Source: CCN
Type: SA30220
Debian OpenSSL Predictable Random Number Generator and Update

Source: SECUNIA
Type: Vendor Advisory
30220

Source: SECUNIA
Type: Vendor Advisory
30221

Source: SECUNIA
Type: Vendor Advisory
30231

Source: SECUNIA
Type: Vendor Advisory
30239

Source: SECUNIA
Type: Vendor Advisory
30249

Source: CCN
Type: SECTRACK ID: 1020017
OpenSSL for Debian/Ubuntu Predictable RNG Lets Remote Users Determine Cryptographic Keys

Source: MLIST
Type: Third Party Advisory
[rsyncrypto-devel] 20080523 Advisory - Rsyncrypto maybe affected from Debian OpenSSL reduced entropy problem

Source: CCN
Type: IBM Security Bulletin S1004216
IBM XIV Storage System (MTM 2810-A14, 2812-A14) - weak key used in XIV OpenSSL certificate

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-1571

Source: DEBIAN
Type: Patch
DSA-1576

Source: DEBIAN
Type: DSA-1571
openssl -- predictable random number generator

Source: DEBIAN
Type: DSA-1576
openssh -- predictable random number generator

Source: CCN
Type: US-CERT VU#925211
Debian and Ubuntu OpenSSL packages contain a predictable random number generator

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#925211

Source: CCN
Type: OpenSSL Web site
OpenSSL: The Open Source toolkit for SSL/TLS

Source: CCN
Type: OSVDB ID: 45029
OpenSSL on Debian/Ubuntu Linux Predictable Random Number Generator (RNG) Cryptographic Key Generation Weakness

Source: CCN
Type: OSVDB ID: 45503
Ubuntu Linux ssh-vulnkey authorized_keys Unspecified Options Key Guessing Weakness

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20080515 Debian generated SSH-Keys working exploit

Source: BID
Type: Exploit, Third Party Advisory, VDB Entry
29179

Source: CCN
Type: BID-29179
Debian OpenSSL Package Random Number Generator Weakness

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1020017

Source: CCN
Type: USN-612-1
OpenSSL vulnerability

Source: UBUNTU
Type: Patch, Third Party Advisory
USN-612-1

Source: CCN
Type: USN-612-2
OpenSSH vulnerability

Source: UBUNTU
Type: Patch, Third Party Advisory
USN-612-2

Source: CCN
Type: USN-612-3
OpenVPN vulnerability

Source: UBUNTU
Type: Third Party Advisory
USN-612-3

Source: CCN
Type: USN-612-4
ssl-cert vulnerability

Source: UBUNTU
Type: Third Party Advisory
USN-612-4

Source: CCN
Type: USN-612-7
OpenSSH update

Source: UBUNTU
Type: Third Party Advisory
USN-612-7

Source: CERT
Type: Third Party Advisory, US Government Resource
TA08-137A

Source: XF
Type: Third Party Advisory, VDB Entry
openssl-rng-weak-security(42375)

Source: XF
Type: UNKNOWN
openssl-rng-weak-security(42375)

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
5622

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
5632

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
5720

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openssl:openssl:0.9.8c-1:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:8.04:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*
  • OR cpe:/h:ibm:xiv_storage_system:2810:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:17774
    P
    		USN-612-4 -- ssl-cert vulnerability
    2014-06-30
    oval:org.mitre.oval:def:17595
    P
    		USN-612-3 -- openvpn vulnerability
    2014-06-30
    oval:org.mitre.oval:def:17807
    P
    		USN-612-7 -- openssh update
    2014-06-30
    oval:org.mitre.oval:def:17688
    P
    		USN-612-1 -- openssl vulnerability
    2014-06-30
    oval:org.mitre.oval:def:17770
    P
    		USN-612-2 -- openssh vulnerability
    2014-06-30
    oval:org.mitre.oval:def:18593
    P
    		DSA-1576-1 openssh openssh-blacklist - predictable randomness
    2014-06-23
    oval:org.mitre.oval:def:7946
    P
    		DSA-1571 openssl -- predictable random number generator
    2014-06-23
    oval:org.mitre.oval:def:20219
    P
    		DSA-1571-1 openssl - predictable random number generator
    2014-06-23
    oval:org.mitre.oval:def:7978
    P
    		DSA-1576 openssh -- predictable random number generator
    2014-06-23
    oval:org.debian:def:1576
    V
    		predictable random number generator
    2008-05-14
    oval:org.debian:def:1571
    V
    		predictable random number generator
    2008-05-13
    BACK
    openssl openssl 0.9.8c-1
    openssl openssl 0.9.8d
    openssl openssl 0.9.8e
    openssl openssl 0.9.8f
    openssl openssl 0.9.8g
    canonical ubuntu linux 7.04
    canonical ubuntu linux 7.10
    canonical ubuntu linux 8.04
    debian debian linux 4.0
    openssl openssl 0.9.8c
    openssl openssl 0.9.8d
    openssl openssl 0.9.8e
    openssl openssl 0.9.8f
    openssl openssl 0.9.8g
    canonical ubuntu 6.06
    debian debian linux 4.0
    canonical ubuntu 7.04
    canonical ubuntu 7.10
    canonical ubuntu 8.04
    ibm xiv storage system 2810