(Asterisk Issues Advisory) OpenSSL for Debian/Ubuntu Predictable RNG Lets Remote Users Determine Cryptographic Keys
|
|
SecurityTracker Alert ID: 1020107 |
|
SecurityTracker URL: http://securitytracker.com/id/1020107
|
|
CVE Reference:
CVE-2008-0166
(Links to External Site)
|
Date: May 22 2008
|
Impact:
Disclosure of authentication information
|
Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in OpenSSL on Debian and Ubuntu Linux. A remote user can determine keys. Keys generated using Asterisk's 'astgenkey' script may be compromised.
The OpenSSL random number generator creates keys in a predictable manner. A remote user can conduct guessing attacks to determine cryptographic keys.
Systems based on Debian Linux are affected, including Ubuntu Linux.
All cryptographic keys generated may be affected, including SSH keys, OpenVPN keys, DNSSEC keys, keys used in X.509 certificates, and session keys used in SSL/TLS connections.
GnuPG and GNUTLS keys are not affected.
Luciano Bello reported this vulnerability.
|
Impact:
A remote user can determine keys.
|
Solution:
Asterisk issued an advisory warning that the Asterisk 'astgenkey' script uses OpenSSL to generate cryptographic keys. Keys that were generated on Debian-based systems may be compromised and should be regenerated using a fixed version of Debian OpenSSL.
The Asterisk advisory is available at:
http://downloads.digium.com/pub/security/AST-2008-007.html
|
Cause:
Randomization error
|
Underlying OS:
Linux (Debian), Linux (Ubuntu)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 22 May 2008 12:45:23 -0400
Subject: http://downloads.digium.com/pub/security/AST-2008-007.html
|
CVE-2008-0166
|
|
