CVE-2008-3280 - Vulnerability Details - OpenCVE

It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openid	Openid

Configuration 1 [-]

cpe:2.3:a:openid:openid:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.openid.net/pipermail/openid-security/2008-August/000942.html
https://www.exploit-db.com/exploits/5720

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2021-05-21T19:23:55

Updated: 2024-08-07T09:28:42.000Z

Reserved: 2008-07-24T00:00:00

Link: CVE-2008-3280

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-21T20:15:07.430

Modified: 2024-11-21T00:48:52.517

Link: CVE-2008-3280

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "openid", "vendor": "n/a", "versions": [{"status": "affected", "version": "unknown"}]}], "descriptions": [{"lang": "en", "value": "It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-21T19:23:55", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.exploit-db.com/exploits/5720"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2008-3280", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openid", "version": {"version_data": [{"version_value": "unknown"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-338"}]}]}, "references": {"reference_data": [{"name": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html", "refsource": "MISC", "url": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html"}, {"name": "https://www.exploit-db.com/exploits/5720", "refsource": "MISC", "url": "https://www.exploit-db.com/exploits/5720"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T09:28:42.000Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.exploit-db.com/exploits/5720"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2008-3280", "datePublished": "2021-05-21T19:23:55", "dateReserved": "2008-07-24T00:00:00", "dateUpdated": "2024-08-07T09:28:42.000Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openid:openid:-:*:*:*:*:*:*:*", "matchCriteriaId": "21ACAE04-0500-4B20-8F63-87D22A9A0563", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs."}, {"lang": "es", "value": "Se detect\u00f3 que varios OpenID Providers (OP) ten\u00edan TLS Server Certificates que usaban claves d\u00e9biles, como resultado del Debian Predictable Random Number Generator (CVE-2008-0166). En combinaci\u00f3n con el problema de Envenenamiento de la cach\u00e9 de DNS (CVE-2008-1447) y el hecho de que casi todas las implementaciones de SSL / TLS no consultan las CRL (actualmente un problema sin seguimiento), esto significa que es imposible confiar en estos OP"}], "id": "CVE-2008-3280", "lastModified": "2024-11-21T00:48:52.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-21T20:15:07.430", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/5720"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "http://lists.openid.net/pipermail/openid-security/2008-August/000942.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/5720"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "secalert@redhat.com", "type": "Secondary"}]}