CVE-2009-4295

Sun Ray Server Software 4.0 and 4.1 does not generate a unique DSA private key for the firmware on each Sun Ray 1, 1g, 100, and 150 DTU device, which makes it easier for remote attackers to obtain sensitive information by predicting a key and then using it to decrypt sniffed network traffic.

CVSS v2.0 7.8 HIGH

7.8^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:N/A:N

Exploitability : 10.0 / Impact : 6.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270549-1	Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-21-127553-07-1	Patch
http://www.securityfocus.com/bid/37285	Patch
http://www.vupen.com/english/advisories/2009/3477	Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sun:ray_server_software:4.1::linux:::::
	cpe:2.3:a:sun:ray_server_software:4.0::sparc:::::
	cpe:2.3:a:sun:ray_server_software:4.1::sparc:::::
	cpe:2.3:a:sun:ray_server_software:4.0::x86:::::
	cpe:2.3:a:sun:ray_server_software:4.0::linux:::::
	cpe:2.3:a:sun:ray_server_software:4.1::x86:::::

Information

Published : 2009-12-11 08:30

Updated : 2009-12-13 21:00

NVD link : CVE-2009-4295

Mitre link : CVE-2009-4295

JSON object : View

CWE

CWE-310

Cryptographic Issues

Advertisement

Products Affected

sun

ray_server_software

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-270549-1", "name": "270549", "tags": ["Vendor Advisory"], "refsource": "SUNALERT"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-127553-07-1", "name": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-127553-07-1", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/37285", "name": "37285", "tags": ["Patch"], "refsource": "BID"}, {"url": "http://www.vupen.com/english/advisories/2009/3477", "name": "ADV-2009-3477", "tags": ["Vendor Advisory"], "refsource": "VUPEN"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Sun Ray Server Software 4.0 and 4.1 does not generate a unique DSA private key for the firmware on each Sun Ray 1, 1g, 100, and 150 DTU device, which makes it easier for remote attackers to obtain sensitive information by predicting a key and then using it to decrypt sniffed network traffic."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-310"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-4295", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 6.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2009-12-11T16:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:sun:ray_server_software:4.1:*:linux:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:ray_server_software:4.0:*:sparc:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:ray_server_software:4.1:*:sparc:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:ray_server_software:4.0:*:x86:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:ray_server_software:4.0:*:linux:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:ray_server_software:4.1:*:x86:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2009-12-14T05:00Z"}