Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

Last Update Date: 28 Jan 2011 Release Date: 19 May 2008 5397 Views

RISK: Medium Risk

Medium Risk

A vulnerabiliity exists in the random number generator used by the OpenSSL package included with the Debian GNU/Linux, Ubuntu, and other Debian-based operating systems. This vulnerability causes the generated numbers to be predictable.

The result of this error is that certain encryption keys are much more common than they should be. This vulnerability affects cryptographic applications that use keys generated by the flawed versions of the OpenSSL package. Affected keys include, but may not be limited to, SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Any of these keys generated using the affected systems on or after 2006-09-17 may be vulnerable. Keys generated with GnuPG, GNUTLS, ccrypt, or other encryption utilities that do not use OpenSSL are not vulnerable because these applications use their own random number generators.

Impact

  • Remote Code Execution

System / Technologies affected

  • Debian, Ubuntu, and Debian-based distributions

Solutions

Debian and Ubuntu have released fixed versions of OpenSSL to address this issue. System administrators can use the ssh-vulnkey application to check for compromised or weak SSH keys. After applying updates, clients using weak keys may be refused by servers.

Vulnerability Identifier

Source

Related Link

Share with

Previous

Microsoft Word Two Vulnerabilities( 14 May 2008 )

14 May 2008 4506 Views

Next

CA Products Code Execution and File Manipulation Vulnerabilities

21 May 2008 4717 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY