CVE-2008-3280 - OpenCVE

It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Openid	Openid

Configuration 1 [-]

cpe:2.3:a:openid:openid:-:*:*:*:*:*:*:*

References

Link	Resource
http://lists.openid.net/pipermail/openid-security/2008-August/000942.html	Mailing List Mitigation Vendor Advisory
https://www.exploit-db.com/exploits/5720	Exploit Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2021-05-21T19:23:55

Updated: 2021-05-21T19:23:55

Reserved: 2008-07-24T00:00:00

Link: CVE-2008-3280

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-05-21T20:15:07.430

Modified: 2021-05-27T21:19:31.733

Link: CVE-2008-3280

JSON object: View

Redhat Information

No data.

CWE

CWE-338

{"containers": {"cna": {"affected": [{"product": "openid", "vendor": "n/a", "versions": [{"status": "affected", "version": "unknown"}]}], "descriptions": [{"lang": "en", "value": "It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-21T19:23:55", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.exploit-db.com/exploits/5720"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2008-3280", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openid", "version": {"version_data": [{"version_value": "unknown"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-338"}]}]}, "references": {"reference_data": [{"name": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html", "refsource": "MISC", "url": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html"}, {"name": "https://www.exploit-db.com/exploits/5720", "refsource": "MISC", "url": "https://www.exploit-db.com/exploits/5720"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2008-3280", "datePublished": "2021-05-21T19:23:55", "dateReserved": "2008-07-24T00:00:00", "dateUpdated": "2021-05-21T19:23:55", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openid:openid:-:*:*:*:*:*:*:*", "matchCriteriaId": "21ACAE04-0500-4B20-8F63-87D22A9A0563", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs."}, {"lang": "es", "value": "Se detect\u00f3 que varios OpenID Providers (OP) ten\u00edan TLS Server Certificates que usaban claves d\u00e9biles, como resultado del Debian Predictable Random Number Generator (CVE-2008-0166). En combinaci\u00f3n con el problema de Envenenamiento de la cach\u00e9 de DNS (CVE-2008-1447) y el hecho de que casi todas las implementaciones de SSL / TLS no consultan las CRL (actualmente un problema sin seguimiento), esto significa que es imposible confiar en estos OP"}], "id": "CVE-2008-3280", "lastModified": "2021-05-27T21:19:31.733", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-21T20:15:07.430", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/5720"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "secalert@redhat.com", "type": "Primary"}]}