CVE-2008-0166

Pending
13 May 2008
Published
15 Oct 2018
Updated
CVSS
Pending
EPSS
7.88%
  • 2 Posts
  • 418 Interactions

CVE Info

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
MITRE
NVD

Fediverse

Profile picture
hanno@hanno

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? 16years.secvuln.info/

  • 183
  • 165
  • 10 hours ago
Profile picture
BrianKrebs@briankrebs

Reason #2,391 why revisiting security assumptions is always a good idea.

[Bimi] No cryptographic connection between VMC and DKIM key

mailarchive.ietf.org/arch/msg/

My favorite part:

"I guess some may consider what I just said as an unimportant or a merely theoretical issue, so I would like to illustrate it with an example. Let's take the domain entrust.com. It has a DKIM key
configured at "dkim._domainkey.entrust.com". The TXT record is the following:

"v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyGF0xzO7Eig1H8QdIErjEKOGnIVvoLU5VjcMRBRWZK65NinL+gVnjuMD2mYdjC3f+7sQCWxGDSKIFn/bB+iXxO2x1/ktkwXHQfQ/9FcFuy+LE0Snsm0SwXN/2l1m5f9e1xdswC+dzHt6DIpDSDENsRal019YKQTqwVyB++7QORwIDAQAB"

This is a 1024 bit RSA key, which is not up to modern standards. But breaking 1024 bit RSA is still only feasible for very powerful attackers. However, this key has another problem: it is vulnerable to
the Debian OpenSSL bug (CVE-2008-0166). It is trivially possible to
find the private key (you can use my tool badkeys -
badkeys.info/ - to do that):

github.com/badkeys/debianopens"

  • 25
  • 45
  • 4 hours ago

CVE-2023-49606

Tinyproxy
01 May 2024
Published
01 May 2024
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.09%
  • 2 Posts
  • 1 Interaction

CVE Info

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
MITRE
NVD

Fediverse

Profile picture
Cybersecurity & cyberwarfare@cybersecurity

52.000 server Tinyproxy esposti: Scoperta vulnerabilità RCE critica CVE-2023-49606

Più di 52.000 host Tinyproxy che si possono trovare su Internet sono vulnerabili alla vulnerabilità critica RCE CVE-2023-49606, recentemente scoperta in un server proxy open source. Tinyproxy è un server proxy open source per HTTP e HTTPS progettato per essere veloce e leggero. È progettato per i sistemi UNIX ed è ampiamente utilizzato da piccole […]

L'articolo 52.000 server Tinyproxy esposti: Scoperta vulnerabilità RCE critica CVE-2023-49606 proviene da il blog della sicurezza informatica.

redhotcyber.com/post/52-000-se
redhotcyber.com/feed

poliverso.org/display/0477a01e

  • 0
  • 0
  • 11 hours ago
Profile picture
Privacity@privacity

52.000 server Tinyproxy esposti: Scoperta vulnerabilità RCE critica CVE-2023-49606
poliverso.org/display/0477a01e
52.000 server Tinyproxy esposti: Scoperta vulnerabilità RCE critica CVE-2023-49606 Più di 52.000 host Tinyproxy che si possono trovare su Internet sono vulnerabili alla vulnerabilità redhotcyber.com/post/vulnerabi critica RCE CVE-2023-49606, recentemente scoperta in

  • 1
  • 0
  • 8 hours ago

CVE-2024-27793

Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
0.04%
  • 1 Post
  • 1 Interaction

CVE Info

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
MITRE
NVD

Fediverse

Profile picture
happygeek :unverified: + :verified: = $0@happygeek

New @Forbes: A critical security vulnerability in the iTunes application for Windows 10 and Windows 11 users could have enabled malicious attackers to arbitrarily execute code remotely, Apple has confirmed in a support document published 8 May.

@wrv for finding CVE-2024-27793

forbes.com/sites/daveywinder/2

  • 1
  • 0
  • 6 hours ago

CVE-2024-21893

KEV
Ivanti ICS
31 Jan 2024
Published
31 Jan 2024
Updated
CVSS v3.0
HIGH (8.2)
EPSS
96.30%
  • 1 Post
  • 1 Interaction

CVE Info

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
MITRE
NVD

Fediverse

Profile picture
Privacity@privacity

52.000 server Tinyproxy esposti: Scoperta vulnerabilità RCE critica CVE-2023-49606
poliverso.org/display/0477a01e
52.000 server Tinyproxy esposti: Scoperta vulnerabilità RCE critica CVE-2023-49606 Più di 52.000 host Tinyproxy che si possono trovare su Internet sono vulnerabili alla vulnerabilità redhotcyber.com/post/vulnerabi critica RCE CVE-2023-49606, recentemente scoperta in

  • 1
  • 0
  • 8 hours ago