Vulnerability Details : CVE-2008-0166

Exploit prediction scoring system (EPSS) score for CVE-2008-0166

CVSS scores for CVE-2008-0166

CWE ids for CVE-2008-0166

• CWE-310
  Assigned by: nvd@nist.gov (Primary)
• CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
  Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2008-0166

• Red Hat 2008-05-13
  Not vulnerable. This flaw was caused by a third-party vendor patch to the OpenSSL library. This patch has never been used by Red Hat, and this issue therefore does not affect any Fedora, Red Hat, or upstream supplied OpenSSL packages.

References for CVE-2008-0166

• http://www.securitytracker.com/id?1020017
  GoDaddy Domain Name Search

  Broken Link;Third Party Advisory;VDB Entry
• http://sourceforge.net/mailarchive/forum.php?thread_name=48367252.7070603%40shemesh.biz&forum_name=rsyncrypto-devel
  Thread: Advisory - Rsyncrypto maybe affected from Debian OpenSSL reduced entropy problem | rsync friendly file encryption

  Third Party Advisory
• https://exchange.xforce.ibmcloud.com/vulnerabilities/42375
  OpenSSL random number generator weak security CVE-2008-0166 Vulnerability Report

  Third Party Advisory;VDB Entry
• http://www.securityfocus.com/archive/1/492112/100/0/threaded
  Broken Link;Third Party Advisory;VDB Entry
• http://secunia.com/advisories/30231
  About Secunia Research | Flexera

  Broken Link;Vendor Advisory
• http://www.debian.org/security/2008/dsa-1571
  [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

  Mailing List;Patch;Vendor Advisory

  CVEs referencing this url
• http://secunia.com/advisories/30239
  About Secunia Research | Flexera

  Broken Link;Vendor Advisory
• http://www.ubuntu.com/usn/usn-612-1
  USN-612-1: OpenSSL vulnerability | Ubuntu security notices | Ubuntu

  Patch;Third Party Advisory
• https://www.exploit-db.com/exploits/5632
  OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Ruby) - Linux remote Exploit

  Exploit;Third Party Advisory;VDB Entry
• https://www.exploit-db.com/exploits/5720
  OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH - Linux remote Exploit

  Exploit;Third Party Advisory;VDB Entry

  CVEs referencing this url
• http://www.ubuntu.com/usn/usn-612-7
  USN-612-7: OpenSSH update | Ubuntu security notices | Ubuntu

  Third Party Advisory
• http://www.ubuntu.com/usn/usn-612-2
  USN-612-2: OpenSSH vulnerability | Ubuntu security notices | Ubuntu

  Patch;Third Party Advisory
• http://www.ubuntu.com/usn/usn-612-3
  USN-612-3: OpenVPN vulnerability | Ubuntu security notices | Ubuntu

  Third Party Advisory
• http://secunia.com/advisories/30136
  About Secunia Research | Flexera

  Broken Link;Vendor Advisory
• http://secunia.com/advisories/30249
  About Secunia Research | Flexera

  Broken Link;Vendor Advisory
• http://www.us-cert.gov/cas/techalerts/TA08-137A.html
  Page Not Found | CISA

  Broken Link;Third Party Advisory;US Government Resource
• http://secunia.com/advisories/30220
  About Secunia Research | Flexera

  Broken Link;Vendor Advisory
• http://www.ubuntu.com/usn/usn-612-4
  USN-612-4: ssl-cert vulnerability | Ubuntu security notices | Ubuntu

  Third Party Advisory
• http://www.kb.cert.org/vuls/id/925211
  VU#925211 - Debian and Ubuntu OpenSSL packages contain a predictable random number generator

  Third Party Advisory;US Government Resource
• http://metasploit.com/users/hdm/tools/debian-openssl/
  Metasploit | Penetration Testing Software, Pen Testing Security | Metasploit

  Broken Link
• http://www.securityfocus.com/bid/29179
  Broken Link;Exploit;Third Party Advisory;VDB Entry
• http://www.debian.org/security/2008/dsa-1576
  [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness

  Mailing List;Patch

  CVEs referencing this url
• http://secunia.com/advisories/30221
  About Secunia Research | Flexera

  Broken Link;Vendor Advisory
• https://www.exploit-db.com/exploits/5622
  OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH - Linux remote Exploit

  Exploit;Third Party Advisory;VDB Entry

Products affected by CVE-2008-0166

• Debian » Debian Linux » Version: 4.0
  cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*

  Matching versions
• Openssl » Openssl

  Versions from including (>=) 0.9.8c-1 and up to, including, (<=) 0.9.8g
  cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

  Matching versions
• Canonical » Ubuntu Linux » Version: 6.06
  cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*

  Matching versions
• Canonical » Ubuntu Linux » Version: 7.04
  cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*

  Matching versions
• Canonical » Ubuntu Linux » Version: 7.10
  cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*

  Matching versions
• Canonical » Ubuntu Linux » Version: 8.04
  cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*

  Matching versions