Alibaba genkey RSA Session Key Disclosure

1999-05-21T00:00:00
ID OSVDB:5981
Type osvdb
Reporter Chris Cowley(ccowley@grok.co.uk)
Modified 1999-05-21T00:00:00

Description

Vulnerability Description

Alibaba Web Server contains a flaw that may allow a remote attacker to obtain the session keys. The issue is due to the 'genkey' utility creating RSA public keys with an exponent of 1. This results in the session key for each SSL session to a server running 'Alibaba' to be sent in the clear.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Alibaba Web Server contains a flaw that may allow a remote attacker to obtain the session keys. The issue is due to the 'genkey' utility creating RSA public keys with an exponent of 1. This results in the session key for each SSL session to a server running 'Alibaba' to be sent in the clear.

References:

Mail List Post: http://catless.ncl.ac.uk/Risks/20.41.html#subj4 CVE-1999-1444