Vulnerabilities > CVE-2008-3280 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Openid

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

openid

CWE-338

NVD

Published: 2021-05-21

Updated: 2021-05-27

Summary

It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs.

Vulnerable Configurations

Part	Description	Count
Application	Openid Openid Openid -	1

Common Weakness Enumeration (CWE)

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

References

https://www.exploit-db.com/exploits/5720
http://lists.openid.net/pipermail/openid-security/2008-August/000942.html