CVE-2011-0766 — Crypto vulnerability

CWE-3108 documents6 sources

Severity

7.8HIGHNVD

EPSS

3.4%

top 12.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Erlang OTP Erlang Crypto SSH

Timeline

PublishedMay 31

Latest updateMay 17

Description

The random number generator in the Crypto application before 2.0.2.2, and SSH before 2.0.5, as used in the Erlang/OTP ssh library before R14B03, uses predictable seeds based on the current time, which makes it easier for remote attackers to guess DSA host and SSH session keys.

CVSS vector

AV:N/AC:L/C:C/I:N/A:NExploitability: 10.0 | Impact: 6.9

Affected Packages4 packages

▶NVDerlang/crypto2.0.2.1

▶Debianerlang/erlang_otp< 1:14.b.3-dfsg-1+3

▶NVDerlang/erlang_otp10 versions+9

▶NVDssh/ssh2.0.4

Patches

Patch: www.kb.cert.org ↗Patch: github.com ↗Patch: www.kb.cert.org ↗

🔴Vulnerability Details

GHSA

GHSA-q2pp-3636-pf45: The random number generator in the Crypto application before 2↗2022-05-17

▶

CVEList

CVE-2011-0766: The random number generator in the Crypto application before 2↗2011-05-31

▶

OSV

CVE-2011-0766: The random number generator in the Crypto application before 2↗2011-05-31

▶

📋Vendor Advisories

Debian

CVE-2011-0766: erlang - The random number generator in the Crypto application before 2.0.2.2, and SSH be...↗2011

▶

💬Community

Bugzilla

CVE-2011-0766 erlang: SSH library uses a weak random number generator↗2011-05-30

▶

Bugzilla

CVE-2011-0766 erlang: SSH library uses a weak random number generator [epel-all]↗2011-05-30

▶

Bugzilla

CVE-2011-0766 erlang: SSH library uses a weak random number generator [fedora-all]↗2011-05-30

▶