Test ID:	1.3.6.1.4.1.25623.1.0.90025
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisories for openssl (USN-612-1 - USN-612-11)
Summary:	The remote host is probably affected by the vulnerabilities; described in USN-612-1, USN-612-2, USN-612-3, USN-612-4: OpenSSL vulnerability.;; This VT has been deprecated by dedicated LSCs covering each USN separately.
Description:	Summary: The remote host is probably affected by the vulnerabilities described in USN-612-1, USN-612-2, USN-612-3, USN-612-4: OpenSSL vulnerability. This VT has been deprecated by dedicated LSCs covering each USN separately. Vulnerability Insight: Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised. The Digital Signature Algorithm relies on a secret random value used during signature generation. The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though. Solution: The problem can be corrected by upgrading your system to the actual packages. CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2008-0166 BugTraq ID: 29179 http://www.securityfocus.com/bid/29179 Bugtraq: 20080515 Debian generated SSH-Keys working exploit (Google Search) http://www.securityfocus.com/archive/1/492112/100/0/threaded Cert/CC Advisory: TA08-137A http://www.us-cert.gov/cas/techalerts/TA08-137A.html CERT/CC vulnerability note: VU#925211 http://www.kb.cert.org/vuls/id/925211 Debian Security Information: DSA-1571 (Google Search) http://www.debian.org/security/2008/dsa-1571 Debian Security Information: DSA-1576 (Google Search) http://www.debian.org/security/2008/dsa-1576 https://www.exploit-db.com/exploits/5622 https://www.exploit-db.com/exploits/5632 https://www.exploit-db.com/exploits/5720 http://metasploit.com/users/hdm/tools/debian-openssl/ https://16years.secvuln.info https://news.ycombinator.com/item?id=40333169 http://sourceforge.net/mailarchive/forum.php?thread_name=48367252.7070603%40shemesh.biz&forum_name=rsyncrypto-devel http://www.securitytracker.com/id?1020017 http://secunia.com/advisories/30136 http://secunia.com/advisories/30220 http://secunia.com/advisories/30221 http://secunia.com/advisories/30231 http://secunia.com/advisories/30239 http://secunia.com/advisories/30249 http://www.ubuntu.com/usn/usn-612-1 http://www.ubuntu.com/usn/usn-612-2 http://www.ubuntu.com/usn/usn-612-3 http://www.ubuntu.com/usn/usn-612-4 http://www.ubuntu.com/usn/usn-612-7 XForce ISS Database: openssl-rng-weak-security(42375) https://exchange.xforce.ibmcloud.com/vulnerabilities/42375
Copyright	Copyright (C) 2008 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.