Vulnerabilities > CVE-2013-6078 - Cryptographic Issues vulnerability in EMC RSA Bsafe Toolkits and RSA Data Protection Manager
Summary
The default configuration of EMC RSA BSAFE Toolkits and RSA Data Protection Manager (DPM) 20130918 uses the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging unspecified "security concerns," aka the ESA-2013-068 issue. NOTE: this issue has been SPLIT from CVE-2007-6755 because the vendor announcement did not state a specific technical rationale for a change in the algorithm; thus, CVE cannot reach a conclusion that a CVE-2007-6755 concern was the reason, or one of the reasons, for this change. As with CVE-2007-6755 this vulnerability has been scored with the assumption the relationship between P and Q is known to the attacker. Please see CVE-2007-6755 [link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6755] more information.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
References
- http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/
- http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html
- http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/
- http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect