Gunnar Wolf
2011-Oct-31 16:28 UTC
[Secure-testing-team] Bug#647205: cherokee: Admin password generation uses time and PID, allows attackers to brute-force it
Package: cherokee Version: 1.2.100-1 Severity: grave Tags: security Justification: user security hole CVE issue CVE-2011-2190 points out that the temporary admin password generation function is seeded by the time and PID, which allows an attacker to brute-force it. Yes, in production systems cherokee-admin should be quite short-lived, but administrators can leave it running for long periods, opening a window to this attack. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2190 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2190 An example attack has been posted to the RedHat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2190 This bug has been filed in the upstream bugtracker: http://code.google.com/p/cherokee/issues/detail?id=1295 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages cherokee depends on: ii libc6 2.13-21 ii libcherokee-base0 1.2.100-1 ii libcherokee-server0 1.2.100-1 ii libssl1.0.0 1.0.0e-2 ii logrotate 3.7.8-6 Versions of packages cherokee recommends: ii cherokee-admin 1.2.100-1 ii spawn-fcgi 1.6.3-1 Versions of packages cherokee suggests: ii cherokee-doc 1.2.100-1 ii libcherokee-mod-geoip 1.2.100-1 ii libcherokee-mod-ldap 1.2.100-1 ii libcherokee-mod-libssl 1.2.100-1 ii libcherokee-mod-mysql 1.2.100-1 ii libcherokee-mod-rrd 1.2.100-1 ii libcherokee-mod-streaming 1.2.100-1 -- Configuration Files: /etc/cherokee/cherokee.conf changed [not included] -- debconf-show failed