Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-0166Use of Cryptographically Weak Pseudo-Random Number Generator in Openssl

CWE-338Use of Cryptographically Weak Pseudo-Random Number Generator14 documents8 sources
Severity
7.5HIGHNVD
EPSS
2.5%
top 14.66%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
Openbsd OpensshOpensslCanonical Ubuntu Linux+1 more
Timeline
PublishedMay 13
Latest updateMay 1

Description

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Debianopenssl/openssl< 0.9.8g-9+3
NVDopenssl/openssl0.9.8c-10.9.8g
Debianopenbsd/openssh< 4.7p1-9+3

Also affects: Debian Linux 4.0, Ubuntu Linux 6.06, 7.04, 7.10, 8.04

Patches

Patch: www.debian.orgPatch: www.debian.orgPatch: www.ubuntu.com

🔴Vulnerability Details

3
GHSA
GHSA-4xrg-5554-qffr: OpenSSL 02022-05-01
CVEList
CVE-2008-0166: OpenSSL 02008-05-13
OSV
CVE-2008-0166: OpenSSL 02008-05-13

💥Exploits & PoCs

3
Exploit-DB
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH2008-06-01
Exploit-DB
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Ruby)2008-05-16
Exploit-DB
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH2008-05-15

📋Vendor Advisories

7
Ubuntu
OpenSSH update2008-05-20
Ubuntu
ssl-cert vulnerability2008-05-14
Ubuntu
OpenSSL vulnerability2008-05-13
Ubuntu
OpenVPN vulnerability2008-05-13
Ubuntu
OpenSSH vulnerability2008-05-13
CVE-2008-0166 — Openssl vulnerability | cvebase