Vulnerability Details : CVE-2008-0166
OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
Products affected by CVE-2008-0166
- cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-0166
9.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-0166
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:C/I:N/A:N |
10.0
|
6.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | 2024-02-09 |
CWE ids for CVE-2008-0166
-
Assigned by: nvd@nist.gov (Primary)
-
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-0166
-
Red Hat 2008-05-13Not vulnerable. This flaw was caused by a third-party vendor patch to the OpenSSL library. This patch has never been used by Red Hat, and this issue therefore does not affect any Fedora, Red Hat, or upstream supplied OpenSSL packages.
References for CVE-2008-0166
-
http://www.securitytracker.com/id?1020017
GoDaddy Domain Name SearchBroken Link;Third Party Advisory;VDB Entry
-
http://sourceforge.net/mailarchive/forum.php?thread_name=48367252.7070603%40shemesh.biz&forum_name=rsyncrypto-devel
Thread: Advisory - Rsyncrypto maybe affected from Debian OpenSSL reduced entropy problem | rsync friendly file encryptionThird Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/42375
OpenSSL random number generator weak security CVE-2008-0166 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/archive/1/492112/100/0/threaded
Broken Link;Third Party Advisory;VDB Entry
-
http://secunia.com/advisories/30231
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://www.debian.org/security/2008/dsa-1571
[SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generatorMailing List;Patch;Vendor Advisory
-
http://secunia.com/advisories/30239
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://www.ubuntu.com/usn/usn-612-1
USN-612-1: OpenSSL vulnerability | Ubuntu security notices | UbuntuPatch;Third Party Advisory
-
https://www.exploit-db.com/exploits/5632
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Ruby) - Linux remote ExploitExploit;Third Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/5720
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH - Linux remote ExploitExploit;Third Party Advisory;VDB Entry
-
http://www.ubuntu.com/usn/usn-612-7
USN-612-7: OpenSSH update | Ubuntu security notices | UbuntuThird Party Advisory
-
http://www.ubuntu.com/usn/usn-612-2
USN-612-2: OpenSSH vulnerability | Ubuntu security notices | UbuntuPatch;Third Party Advisory
-
http://www.ubuntu.com/usn/usn-612-3
USN-612-3: OpenVPN vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
http://secunia.com/advisories/30136
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://secunia.com/advisories/30249
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://www.us-cert.gov/cas/techalerts/TA08-137A.html
Page Not Found | CISABroken Link;Third Party Advisory;US Government Resource
-
http://secunia.com/advisories/30220
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://www.ubuntu.com/usn/usn-612-4
USN-612-4: ssl-cert vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
http://www.kb.cert.org/vuls/id/925211
VU#925211 - Debian and Ubuntu OpenSSL packages contain a predictable random number generatorThird Party Advisory;US Government Resource
-
http://metasploit.com/users/hdm/tools/debian-openssl/
Metasploit | Penetration Testing Software, Pen Testing Security | MetasploitBroken Link
-
http://www.securityfocus.com/bid/29179
Broken Link;Exploit;Third Party Advisory;VDB Entry
-
http://www.debian.org/security/2008/dsa-1576
[SECURITY] [DSA 1576-1] New openssh packages fix predictable randomnessMailing List;Patch
-
http://secunia.com/advisories/30221
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
https://www.exploit-db.com/exploits/5622
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH - Linux remote ExploitExploit;Third Party Advisory;VDB Entry
Jump to