NVD Vulnerability Detail

CVE-2012-2417

Summary	PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key.
Publication Date	June 17, 2012, 12:41 p.m.
Registration Date	Jan. 28, 2021, 2:58 p.m.
Last Update	Nov. 21, 2024, 10:39 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:dlitz:pycrypto:1.9:alpha5::::::
cpe:2.3:a:dlitz:pycrypto:1.9:alpha1::::::
cpe:2.3:a:dlitz:pycrypto:2.2:::::::*
cpe:2.3:a:dlitz:pycrypto:1.9:alpha2::::::
cpe:2.3:a:dlitz:pycrypto:2.1.0:beta1::::::
cpe:2.3:a:dlitz:pycrypto:1.0.1:::::::*
cpe:2.3:a:dlitz:pycrypto:2.0.1:::::::*
cpe:2.3:a:dlitz:pycrypto:2.0:::::::*
cpe:2.3:a:dlitz:pycrypto:2.4.1:::::::*
cpe:2.3:a:dlitz:pycrypto:1.1:alpha2::::::
cpe:2.3:a:dlitz:pycrypto:1.9:alpha4::::::
cpe:2.3:a:dlitz:pycrypto:2.1.0:::::::*
cpe:2.3:a:dlitz:pycrypto:2.4:::::::*
cpe:2.3:a:dlitz:pycrypto:2.1.0:alpha1::::::
cpe:2.3:a:dlitz:pycrypto::::::::		2.5
cpe:2.3:a:dlitz:pycrypto:1.0.2:::::::*
cpe:2.3:a:dlitz:pycrypto:1.9:alpha6::::::
cpe:2.3:a:dlitz:pycrypto:2.1.0:alpha2::::::
cpe:2.3:a:dlitz:pycrypto:1.9:alpha3::::::
cpe:2.3:a:dlitz:pycrypto:2.3:::::::*
cpe:2.3:a:dlitz:pycrypto:1.0.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081713.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081713.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081759.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081759.html
5	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081789.html
6	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081789.html
7	http://secunia.com/advisories/49263	Vendor Advisory
8	http://secunia.com/advisories/49263	Vendor Advisory
9	http://www.debian.org/security/2012/dsa-2502
10	http://www.debian.org/security/2012/dsa-2502
11	http://www.mandriva.com/security/advisories?name=MDVSA-2012:117
12	http://www.mandriva.com/security/advisories?name=MDVSA-2012:117
13	http://www.openwall.com/lists/oss-security/2012/05/25/1
14	http://www.openwall.com/lists/oss-security/2012/05/25/1
15	http://www.osvdb.org/82279
16	http://www.osvdb.org/82279
17	http://www.securityfocus.com/bid/53687
18	http://www.securityfocus.com/bid/53687
19	https://bugs.launchpad.net/pycrypto/+bug/985164
20	https://bugs.launchpad.net/pycrypto/+bug/985164
21	https://exchange.xforce.ibmcloud.com/vulnerabilities/75871
22	https://exchange.xforce.ibmcloud.com/vulnerabilities/75871
23	https://github.com/dlitz/pycrypto/blob/373ea760f21701b162e8c4912a66928ee30d401a/ChangeLog
24	https://github.com/dlitz/pycrypto/blob/373ea760f21701b162e8c4912a66928ee30d401a/ChangeLog
25	https://github.com/Legrandin/pycrypto/commit/9f912f13df99ad3421eff360d6a62d7dbec755c2	Exploit Patch
26	https://github.com/Legrandin/pycrypto/commit/9f912f13df99ad3421eff360d6a62d7dbec755c2	Exploit Patch
27	https://hermes.opensuse.org/messages/15083589
28	https://hermes.opensuse.org/messages/15083589

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-310	暗号の問題	https://cwe.mitre.org/data/definitions/310.html

JVN Vulnerability Information

PyCrypto における秘密鍵を取得される脆弱性

Title	PyCrypto における秘密鍵を取得される脆弱性
Summary	PyCrypto は、鍵を生成するために ElGamal スキームを使用する際、適切な素数を生成しないため、秘密鍵を取得される脆弱性が存在します。
Possible impacts	攻撃者により、総当たり攻撃 (brute force attacks) を介して、秘密鍵を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 18, 2012, midnight
Registration Date	June 20, 2012, 2:41 p.m.
Last Update	July 26, 2012, 5:17 p.m.

Affected System

Dwayne C. Litzenberger

PyCrypto 2.6 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-2417	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2417
National Vulnerability Database (NVD)
2	CVE-2012-2417	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2417

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
Bugs
1	ElGamal key generation is broken	https://bugs.launchpad.net/pycrypto/+bug/985164
Fedora Update Notification
2	FEDORA-2012-8392	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081713.html
3	FEDORA-2012-8470	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081789.html
4	FEDORA-2012-8490	http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081759.html
GitHub
5	ChangeLog	https://github.com/dlitz/pycrypto/blob/373ea760f21701b162e8c4912a66928ee30d401a/ChangeLog
6	Fix to bug #985164	https://github.com/Legrandin/pycrypto/commit/9f912f13df99ad3421eff360d6a62d7dbec755c2
opensuse-updates
7	openSUSE-SU-2012:0830	http://lists.opensuse.org/opensuse-updates/2012-07/msg00010.html

Change Log

No	Changed Details	Date of change
0	[2012年06月20日] 掲載 [2012年07月26日] ベンダ情報：openSUSE (openSUSE-SU-2012:0830) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:dlitz:pycrypto:1.9:alpha5::::::
cpe:2.3:a:dlitz:pycrypto:1.9:alpha1::::::
cpe:2.3:a:dlitz:pycrypto:2.2:::::::*
cpe:2.3:a:dlitz:pycrypto:1.9:alpha2::::::
cpe:2.3:a:dlitz:pycrypto:2.1.0:beta1::::::
cpe:2.3:a:dlitz:pycrypto:1.0.1:::::::*
cpe:2.3:a:dlitz:pycrypto:2.0.1:::::::*
cpe:2.3:a:dlitz:pycrypto:2.0:::::::*
cpe:2.3:a:dlitz:pycrypto:2.4.1:::::::*
cpe:2.3:a:dlitz:pycrypto:1.1:alpha2::::::
cpe:2.3:a:dlitz:pycrypto:1.9:alpha4::::::
cpe:2.3:a:dlitz:pycrypto:2.1.0:::::::*
cpe:2.3:a:dlitz:pycrypto:2.4:::::::*
cpe:2.3:a:dlitz:pycrypto:2.1.0:alpha1::::::
cpe:2.3:a:dlitz:pycrypto::::::::		2.5
cpe:2.3:a:dlitz:pycrypto:1.0.2:::::::*
cpe:2.3:a:dlitz:pycrypto:1.9:alpha6::::::
cpe:2.3:a:dlitz:pycrypto:2.1.0:alpha2::::::
cpe:2.3:a:dlitz:pycrypto:1.9:alpha3::::::
cpe:2.3:a:dlitz:pycrypto:2.3:::::::*
cpe:2.3:a:dlitz:pycrypto:1.0.0:::::::*