Vulnerabilities > CVE-2013-4442 - Cryptographic Issues vulnerability in Pwgen Project Pwgen 2.06

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
pwgen-project
CWE-310
nessus

Summary

Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

Vulnerable Configurations

Part Description Count
Application
Pwgen_Project
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-16473.NASL
    descriptionUpdate to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-12-17
    plugin id80063
    published2014-12-17
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80063
    titleFedora 19 : pwgen-2.07-1.fc19 (2014-16473)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-16368.NASL
    descriptionUpdate to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-12-15
    plugin id79937
    published2014-12-15
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79937
    titleFedora 20 : pwgen-2.07-1.fc20 (2014-16368)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-16406.NASL
    descriptionUpdate to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-12-15
    plugin id79944
    published2014-12-15
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79944
    titleFedora 21 : pwgen-2.07-1.fc21 (2014-16406)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-008.NASL
    descriptionUpdated pwgen package fixes security vulnerabilities : Pwgen was found to generate weak non-tty passwords by default, which could be brute-forced with a commendable success rate, which could raise security concerns (CVE-2013-4440). Pwgen was found to silently falling back to use standard pseudo generated numbers on the systems that heavily use entropy. Systems, such as those with a lot of daemons providing encryption services, the entropy was found to be exhausted, which forces pwgen to fall back to use standard pseudo generated numbers (CVE-2013-4442).
    last seen2020-06-01
    modified2020-06-02
    plugin id80427
    published2015-01-09
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80427
    titleMandriva Linux Security Advisory : pwgen (MDVSA-2015:008)