Vulnerabilities > CVE-2005-2946 - Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
openssl
canonical
CWE-327
nessus

Summary

The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Encryption Brute Forcing
    An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
  • Signature Spoof
    An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
  • Cryptanalysis
    Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: 1. Total Break - Finding the secret key 2. Global Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key. 3. Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known 4. Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context.

Nessus

  • NASL familyWeb Servers
    NASL idOPENSSL_0_9_8.NASL
    descriptionAccording to its banner, the remote server is running a version of OpenSSL that is earlier than 0.9.8. The default configuration uses MD5 instead of a stronger hash algorithm. An attacker could forge certificates. If you never generate certificates on this machine, you may ignore this warning.
    last seen2020-06-01
    modified2020-06-02
    plugin id17759
    published2012-01-04
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17759
    titleOpenSSL < 0.9.8 Weak Default Configuration
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17759);
      script_version("1.7");
      script_cvs_date("Date: 2018/11/15 20:50:25");
    
      script_cve_id("CVE-2005-2946");
    
      script_name(english:"OpenSSL < 0.9.8 Weak Default Configuration");
      script_summary(english:"Does a banner check");
    
      script_set_attribute(attribute:"synopsis", value:
    "The default configuration of OpenSSL on the remote server uses a weak
    hash algorithm.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the remote server is running a version of 
    OpenSSL that is earlier than 0.9.8. 
    
    The default configuration uses MD5 instead of a stronger hash
    algorithm.  An attacker could forge certificates. 
    
    If you never generate certificates on this machine, you may ignore
    this warning.");
      script_set_attribute(attribute:"see_also", value:"https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/19835");
      script_set_attribute(attribute:"see_also", value:"https://usn.ubuntu.com/179-1/");
      script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL 0.9.8 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(310);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/07/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/04");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies("openssl_version.nasl");
      script_require_keys("openssl/port");
    
      exit(0);
    }
    
    include("openssl_version.inc");
    
    openssl_check_version(fixed:'0.9.8', severity:SECURITY_WARNING);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-179-1.NASL
    descriptionThe current default algorithm for creating
    last seen2020-06-01
    modified2020-06-02
    plugin id20589
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20589
    titleUbuntu 4.10 / 5.04 : openssl weak default configuration (USN-179-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-179-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20589);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:33:00");
    
      script_cve_id("CVE-2005-2946");
      script_xref(name:"USN", value:"179-1");
    
      script_name(english:"Ubuntu 4.10 / 5.04 : openssl weak default configuration (USN-179-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The current default algorithm for creating 'message digests'
    (electronic signatures) for certificates created by openssl is MD5.
    However, this algorithm is not deemed secure any more, and some
    practical attacks have been demonstrated which could allow an attacker
    to forge certificates with a valid certification authority signature
    even if he does not know the secret CA signing key.
    
    Therefore all Ubuntu versions of openssl have now been changed to use
    SHA-1 by default. This is a more appropriate default algorithm for the
    majority of use cases; however, if you still want to use MD5 as
    default, you can revert this change by changing the two instances of
    'default_md = sha1' to 'default_md = md5' in /etc/ssl/openssl.cnf.
    
    A detailed explanation and further links can be found at
    
    http://www.cits.rub.de/MD5Collisions/
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libssl-dev, libssl0.9.7 and / or openssl packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libssl-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libssl0.9.7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/09/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(4\.10|5\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"4.10", pkgname:"libssl-dev", pkgver:"0.9.7d-3ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libssl0.9.7", pkgver:"0.9.7d-3ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"openssl", pkgver:"0.9.7d-3ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"libssl-dev", pkgver:"0.9.7e-3ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"libssl0.9.7", pkgver:"0.9.7e-3ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"openssl", pkgver:"0.9.7e-3ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssl-dev / libssl0.9.7 / openssl");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-179.NASL
    descriptionYutaka Oiwa discovered vulnerability potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL. Such applications are affected if they use the option SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of SSL_OP_ALL, which is intended to work around various bugs in third- party software that might prevent interoperability. The SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in the SSL 2.0 server supposed to prevent active protocol-version rollback attacks. With this verification step disabled, an attacker acting as a
    last seen2020-06-01
    modified2020-06-02
    plugin id20039
    published2005-10-19
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20039
    titleMandrake Linux Security Advisory : openssl (MDKSA-2005:179)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2005:179. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20039);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2005-2946", "CVE-2005-2969");
      script_xref(name:"MDKSA", value:"2005:179");
    
      script_name(english:"Mandrake Linux Security Advisory : openssl (MDKSA-2005:179)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Yutaka Oiwa discovered vulnerability potentially affects applications
    that use the SSL/TLS server implementation provided by OpenSSL.
    
    Such applications are affected if they use the option
    SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of
    SSL_OP_ALL, which is intended to work around various bugs in third-
    party software that might prevent interoperability. The
    SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in
    the SSL 2.0 server supposed to prevent active protocol-version
    rollback attacks. With this verification step disabled, an attacker
    acting as a 'man in the middle' can force a client and a server to
    negotiate the SSL 2.0 protocol even if these parties both support SSL
    3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe
    cryptographic weaknesses and is supported as a fallback only.
    (CVE-2005-2969)
    
    The current default algorithm for creating 'message digests'
    (electronic signatures) for certificates created by openssl is MD5.
    However, this algorithm is not deemed secure any more, and some
    practical attacks have been demonstrated which could allow an attacker
    to forge certificates with a valid certification authority signature
    even if he does not know the secret CA signing key.
    
    To address this issue, openssl has been changed to use SHA-1 by
    default. This is a more appropriate default algorithm for the majority
    of use cases. If you still want to use MD5 as default, you can revert
    this change by changing the two instances of 'default_md = sha1' to
    'default_md = md5' in /usr/{lib,lib64}/ssl/openssl.cnf.
    (CVE-2005-2946)"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_cwe_id(310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.7-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.7-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.7-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.7-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64openssl0.9.7-0.9.7d-1.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64openssl0.9.7-devel-0.9.7d-1.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64openssl0.9.7-static-devel-0.9.7d-1.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libopenssl0.9.7-0.9.7d-1.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libopenssl0.9.7-devel-0.9.7d-1.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libopenssl0.9.7-static-devel-0.9.7d-1.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"openssl-0.9.7d-1.3.101mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64openssl0.9.7-0.9.7e-5.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64openssl0.9.7-devel-0.9.7e-5.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64openssl0.9.7-static-devel-0.9.7e-5.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libopenssl0.9.7-0.9.7e-5.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libopenssl0.9.7-devel-0.9.7e-5.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libopenssl0.9.7-static-devel-0.9.7e-5.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", reference:"openssl-0.9.7e-5.2.102mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64openssl0.9.7-0.9.7g-2.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64openssl0.9.7-devel-0.9.7g-2.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64openssl0.9.7-static-devel-0.9.7g-2.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libopenssl0.9.7-0.9.7g-2.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libopenssl0.9.7-devel-0.9.7g-2.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libopenssl0.9.7-static-devel-0.9.7g-2.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"openssl-0.9.7g-2.1.20060mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Statements

contributorJoshua Bressers
lastmodified2006-09-20
organizationRed Hat
statementRed Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169803 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/