Vulnerabilities > CVE-2013-4442 - Cryptographic Issues vulnerability in Pwgen Project Pwgen 2.06
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2014-16473.NASL description Update to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-17 plugin id 80063 published 2014-12-17 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80063 title Fedora 19 : pwgen-2.07-1.fc19 (2014-16473) NASL family Fedora Local Security Checks NASL id FEDORA_2014-16368.NASL description Update to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-15 plugin id 79937 published 2014-12-15 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79937 title Fedora 20 : pwgen-2.07-1.fc20 (2014-16368) NASL family Fedora Local Security Checks NASL id FEDORA_2014-16406.NASL description Update to 2.07 (bug 1159526) fixes : - CVE-2013-4440 (bug 1020222, 1020223) - CVE-2013-4442 (bug 1020259, 1020261) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-15 plugin id 79944 published 2014-12-15 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79944 title Fedora 21 : pwgen-2.07-1.fc21 (2014-16406) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-008.NASL description Updated pwgen package fixes security vulnerabilities : Pwgen was found to generate weak non-tty passwords by default, which could be brute-forced with a commendable success rate, which could raise security concerns (CVE-2013-4440). Pwgen was found to silently falling back to use standard pseudo generated numbers on the systems that heavily use entropy. Systems, such as those with a lot of daemons providing encryption services, the entropy was found to be exhausted, which forces pwgen to fall back to use standard pseudo generated numbers (CVE-2013-4442). last seen 2020-06-01 modified 2020-06-02 plugin id 80427 published 2015-01-09 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80427 title Mandriva Linux Security Advisory : pwgen (MDVSA-2015:008)
References
- http://advisories.mageia.org/MGASA-2014-0535.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146015.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146237.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146285.html
- http://sourceforge.net/p/pwgen/code/ci/00118ccac4656adb028504639b313d7b09e62b79/
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:008
- http://www.openwall.com/lists/oss-security/2013/06/06/1
- http://www.openwall.com/lists/oss-security/2013/10/16/15
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672241