[Secure-testing-team] Bug#647205: cherokee: Admin password generation uses time and PID, allows attackers to brute-force it

Mon Oct 31 16:28:36 UTC 2011

Package: cherokee
Version: 1.2.100-1
Severity: grave
Tags: security
Justification: user security hole

CVE issue CVE-2011-2190 points out that the temporary admin password
generation function is seeded by the time and PID, which allows an
attacker to brute-force it. Yes, in production systems cherokee-admin
should be quite short-lived, but administrators can leave it running
for long periods, opening a window to this attack. 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2190
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2190

An example attack has been posted to the RedHat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2190

This bug has been filed in the upstream bugtracker:

http://code.google.com/p/cherokee/issues/detail?id=1295

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cherokee depends on:
ii  libc6                2.13-21  
ii  libcherokee-base0    1.2.100-1
ii  libcherokee-server0  1.2.100-1
ii  libssl1.0.0          1.0.0e-2 
ii  logrotate            3.7.8-6  

Versions of packages cherokee recommends:
ii  cherokee-admin  1.2.100-1
ii  spawn-fcgi      1.6.3-1  

Versions of packages cherokee suggests:
ii  cherokee-doc               1.2.100-1
ii  libcherokee-mod-geoip      1.2.100-1
ii  libcherokee-mod-ldap       1.2.100-1
ii  libcherokee-mod-libssl     1.2.100-1
ii  libcherokee-mod-mysql      1.2.100-1
ii  libcherokee-mod-rrd        1.2.100-1
ii  libcherokee-mod-streaming  1.2.100-1

-- Configuration Files:
/etc/cherokee/cherokee.conf changed [not included]

-- debconf-show failed