Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
(Asterisk Issues Advisory) OpenSSL for Debian/Ubuntu Predictable RNG Lets Remote Users Determine Cryptographic Keys
SecurityTracker Alert ID:  1020107
SecurityTracker URL:
CVE Reference:   CVE-2008-0166   (Links to External Site)
Date:  May 22 2008
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSL on Debian and Ubuntu Linux. A remote user can determine keys. Keys generated using Asterisk's 'astgenkey' script may be compromised.

The OpenSSL random number generator creates keys in a predictable manner. A remote user can conduct guessing attacks to determine cryptographic keys.

Systems based on Debian Linux are affected, including Ubuntu Linux.

All cryptographic keys generated may be affected, including SSH keys, OpenVPN keys, DNSSEC keys, keys used in X.509 certificates, and session keys used in SSL/TLS connections.

GnuPG and GNUTLS keys are not affected.

Luciano Bello reported this vulnerability.

Impact:   A remote user can determine keys.
Solution:   Asterisk issued an advisory warning that the Asterisk 'astgenkey' script uses OpenSSL to generate cryptographic keys. Keys that were generated on Debian-based systems may be compromised and should be regenerated using a fixed version of Debian OpenSSL.

The Asterisk advisory is available at:

Cause:   Randomization error
Underlying OS:  Linux (Debian), Linux (Ubuntu)

Message History:   This archive entry is a follow-up to the message listed below.
May 13 2008 OpenSSL for Debian/Ubuntu Predictable RNG Lets Remote Users Determine Cryptographic Keys

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC