CVE-2008-5082
First published: Thu Dec 11 2008(Updated: )
During the internal code review, it was discovered that Red Hat Certificate System / Dogtag Certificate System does not properly verify challenge response received during the enrollment of new security token. If keys are generated on the token during the enrollment, TPS correctly verifies that the requestor possesses the private key, but fails to verify that the key really exists on the token and is not only in software. An attacker with access to blank token known to TPS component and with privilege to perform enrollments of new tokens could use this flaw to successfully finish enrollment procedure with the software generated key instead of the one stored in the token. Affected versions: Red Hat Certificate System 7.1, 7.2, 7.3 Dogtag Certificate System 1.0
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dogtag Certificate System | =1.0 | |
| Red Hat Certificate System | =7.1 | |
| Red Hat Certificate System | =7.2 | |
| Red Hat Certificate System | =7.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://rhn.redhat.com/errata/RHSA-2009-0007.html
- http://www.securityfocus.com/bid/33508
- https://bugzilla.redhat.com/show_bug.cgi?id=475998
- http://secunia.com/advisories/33693
- http://www.vupen.com/english/advisories/2009/0145
- https://exchange.xforce.ibmcloud.com/vulnerabilities/48331
- http://rhn.redhat.com/errata/RHSA-2009-0007.html
Frequently Asked Questions
What is the severity of CVE-2008-5082?
CVE-2008-5082 has been assigned a moderate severity level due to the risk of improper authentication during the enrollment of security tokens.
How do I fix CVE-2008-5082?
To mitigate CVE-2008-5082, you should apply the latest updates provided by Red Hat for the affected versions of the Dogtag Certificate System and Red Hat Certificate System.
Who is affected by CVE-2008-5082?
CVE-2008-5082 affects users of Red Hat Certificate System versions 7.1, 7.2, 7.3 and Dogtag Certificate System version 1.0.
What impact does CVE-2008-5082 have on security?
CVE-2008-5082 could potentially allow unauthorized users to enroll for security tokens without proper challenge-response verification.
Is there a workaround for CVE-2008-5082?
Currently, there is no known workaround for CVE-2008-5082 other than applying the recommended security updates.
- agent/first-publish-date
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-5082
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/redhat
- canonical/dogtag certificate system
- version/dogtag certificate system/1.0
- canonical/red hat certificate system
- version/red hat certificate system/7.1
- version/red hat certificate system/7.2
- version/red hat certificate system/7.3