Vulnerability Details : CVE-2012-2417
Potential exploit
PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key.
Products affected by CVE-2012-2417
- cpe:2.3:a:dlitz:pycrypto:*:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.9:alpha6:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.9:alpha5:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.1:alpha2:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.1.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.1.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.9:alpha2:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.9:alpha1:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:2.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.9:alpha4:*:*:*:*:*:*
- cpe:2.3:a:dlitz:pycrypto:1.9:alpha3:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-2417
4.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-2417
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-2417
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-2417
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/75871
PyCrypto keys weak security CVE-2012-2417 Vulnerability Report
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081759.html
[SECURITY] Fedora 15 Update: python-crypto-2.3-6.fc15
-
http://www.openwall.com/lists/oss-security/2012/05/25/1
oss-security - CVE-2012-2417 - PyCrypto <= 2.5 insecure ElGamal key generation
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081713.html
[SECURITY] Fedora 17 Update: python-crypto-2.6-1.fc17
-
http://www.osvdb.org/82279
404 Not Found
-
http://secunia.com/advisories/49263
Sign inVendor Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:117
mandriva.com
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081789.html
[SECURITY] Fedora 16 Update: python-crypto-2.3-6.fc16
-
http://www.securityfocus.com/bid/53687
Python PyCrypto Key Generation Weakness
-
https://github.com/Legrandin/pycrypto/commit/9f912f13df99ad3421eff360d6a62d7dbec755c2
Fix to bug #985164 (ElGamal key generation). Fix to missing range che… · Legrandin/pycrypto@9f912f1 · GitHubExploit;Patch
-
http://www.debian.org/security/2012/dsa-2502
Debian -- Security Information -- DSA-2502-1 python-crypto
-
https://github.com/dlitz/pycrypto/blob/373ea760f21701b162e8c4912a66928ee30d401a/ChangeLog
pycrypto/ChangeLog at 373ea760f21701b162e8c4912a66928ee30d401a · dlitz/pycrypto · GitHub
-
https://hermes.opensuse.org/messages/15083589
openSUSE.org - 503
-
https://bugs.launchpad.net/pycrypto/+bug/985164
Bug #985164 “ElGamal key generation is broken” : Bugs : Python-Crypto
Jump to