CVE-2011-3599 - Vulnerability Details - OpenCVE

The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Adam Kennedy	Crypt-dsa
Perl	Perl

Configuration 1 [-]

AND

OR	cpe:2.3:a:adam_kennedy:crypt-dsa::::::::
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.01:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.02:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.03:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.10:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.11:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.12:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.13:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.14:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:0.15_01:::::::*
	cpe:2.3:a:adam_kennedy:crypt-dsa:1.16:::::::*

cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/76025
http://secunia.com/advisories/46275
http://www.openwall.com/lists/oss-security/2011/10/05/5
http://www.openwall.com/lists/oss-security/2011/10/05/9
http://www.securityfocus.com/bid/49928
https://bugzilla.redhat.com/show_bug.cgi?id=743567
https://rt.cpan.org/Public/Bug/Display.html?id=71421

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2011-10-10T10:00:00

Updated: 2024-08-06T23:37:48.587Z

Reserved: 2011-09-21T00:00:00

Link: CVE-2011-3599

Vulnrichment

No data.

NVD

Status : Modified

Published: 2011-10-10T10:55:06.863

Modified: 2024-11-21T01:30:49.563

Link: CVE-2011-3599

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-10-05T00:00:00", "descriptions": [{"lang": "en", "value": "The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2011-10-19T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "49928", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/49928"}, {"name": "[oss-security] 20111005 Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2011/10/05/9"}, {"name": "76025", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/76025"}, {"tags": ["x_refsource_MISC"], "url": "https://rt.cpan.org/Public/Bug/Display.html?id=71421"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=743567"}, {"name": "[oss-security] 20111005 CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2011/10/05/5"}, {"name": "46275", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/46275"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2011-3599", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "49928", "refsource": "BID", "url": "http://www.securityfocus.com/bid/49928"}, {"name": "[oss-security] 20111005 Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2011/10/05/9"}, {"name": "76025", "refsource": "OSVDB", "url": "http://osvdb.org/76025"}, {"name": "https://rt.cpan.org/Public/Bug/Display.html?id=71421", "refsource": "MISC", "url": "https://rt.cpan.org/Public/Bug/Display.html?id=71421"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=743567", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=743567"}, {"name": "[oss-security] 20111005 CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2011/10/05/5"}, {"name": "46275", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/46275"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T23:37:48.587Z"}, "title": "CVE Program Container", "references": [{"name": "49928", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/49928"}, {"name": "[oss-security] 20111005 Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2011/10/05/9"}, {"name": "76025", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/76025"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://rt.cpan.org/Public/Bug/Display.html?id=71421"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=743567"}, {"name": "[oss-security] 20111005 CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2011/10/05/5"}, {"name": "46275", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/46275"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-3599", "datePublished": "2011-10-10T10:00:00", "dateReserved": "2011-09-21T00:00:00", "dateUpdated": "2024-08-06T23:37:48.587Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6291000-01BD-4677-A83E-5AD03CA19ED8", "versionEndIncluding": "1.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.01:*:*:*:*:*:*:*", "matchCriteriaId": "380B4E21-01EE-4AA7-8C3C-8FF9109AC13E", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.02:*:*:*:*:*:*:*", "matchCriteriaId": "64C17BCB-BEFB-463B-9E19-E534739B6143", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.03:*:*:*:*:*:*:*", "matchCriteriaId": "C26BED95-412E-479F-8876-DEB487954F3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.10:*:*:*:*:*:*:*", "matchCriteriaId": "C0B8FD92-1C81-4115-82AA-07340ED8788F", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.11:*:*:*:*:*:*:*", "matchCriteriaId": "0FC2BBA6-1432-42A0-B8B3-6D79C2881543", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.12:*:*:*:*:*:*:*", "matchCriteriaId": "5A7EE54C-6B92-48AC-A512-DF3F410034F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.13:*:*:*:*:*:*:*", "matchCriteriaId": "D6EE4E97-1BCC-482C-9977-DC57B7E19A59", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.14:*:*:*:*:*:*:*", "matchCriteriaId": "4D590C83-D144-413B-811C-11E9D19BC0AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:0.15_01:*:*:*:*:*:*:*", "matchCriteriaId": "C14C8C9F-BF85-4921-B017-2E3E63AC1FD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:adam_kennedy:crypt-dsa:1.16:*:*:*:*:*:*:*", "matchCriteriaId": "066E1B1A-589B-47E2-AD79-BD24FEF94DBD", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB490BCA-8592-4324-BCE3-396BFD647D5E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack."}, {"lang": "es", "value": "El m\u00f3dulo Crypt::DSA (tambi\u00e9n conocido como Crypt-DSA) v1.17 y anterior para Perl, cuando /dev/random est\u00e1 ausente, usa el m\u00f3dulo Data::Random, lo que hace m\u00e1s f\u00e1cil para atacantes remotos falsificar la firma, o determinar una clave de firma en un mensaje firmado, a trav\u00e9s de un ataque de fuerza bruta."}], "id": "CVE-2011-3599", "lastModified": "2024-11-21T01:30:49.563", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2011-10-10T10:55:06.863", "references": [{"source": "secalert@redhat.com", "url": "http://osvdb.org/76025"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/46275"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://www.openwall.com/lists/oss-security/2011/10/05/5"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://www.openwall.com/lists/oss-security/2011/10/05/9"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/49928"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=743567"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://rt.cpan.org/Public/Bug/Display.html?id=71421"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/76025"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/46275"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.openwall.com/lists/oss-security/2011/10/05/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.openwall.com/lists/oss-security/2011/10/05/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/49928"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=743567"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://rt.cpan.org/Public/Bug/Display.html?id=71421"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}