CVE-2008-0166

Name: CVE-2008-0166
Creator: NVD / NIST
Published: 2008-05-13T17:20:00+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 70.72%

Last modified Jun 16, 2026

CVE-2008-0166 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.. EPSS estimates a 70.72% chance of exploitation in the next 30 days.

Description

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

70.72%

99.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-338

Affected Software

Vendor	Product	Versions
Openssl	Openssl	>= 0.9.8c-1, <= 0.9.8g
Canonical	Ubuntu Linux	6.06
Canonical	Ubuntu Linux	7.04
Canonical	Ubuntu Linux	7.10
Canonical	Ubuntu Linux	8.04
Debian	Debian Linux	4.0

References

http://metasploit.com/users/hdm/tools/debian-openssl/Broken Link
http://secunia.com/advisories/30136Broken Link, Vendor Advisory
http://secunia.com/advisories/30220Broken Link, Vendor Advisory
http://secunia.com/advisories/30221Broken Link, Vendor Advisory
http://secunia.com/advisories/30231Broken Link, Vendor Advisory
http://secunia.com/advisories/30239Broken Link, Vendor Advisory
http://secunia.com/advisories/30249Broken Link, Vendor Advisory
http://sourceforge.net/mailarchive/forum.php?thread_name=48367252.7070603%40shemesh.biz&forum_name=rsyncrypto-develThird Party Advisory
http://www.debian.org/security/2008/dsa-1571Mailing List, Patch, Vendor Advisory
http://www.debian.org/security/2008/dsa-1576Mailing List, Patch
http://www.kb.cert.org/vuls/id/925211Third Party Advisory, US Government Resource
http://www.securityfocus.com/archive/1/492112/100/0/threadedBroken Link, Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/29179Broken Link, Exploit, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1020017Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/usn-612-1Patch, Third Party Advisory
http://www.ubuntu.com/usn/usn-612-2Patch, Third Party Advisory
http://www.ubuntu.com/usn/usn-612-3Third Party Advisory
http://www.ubuntu.com/usn/usn-612-4Third Party Advisory
http://www.ubuntu.com/usn/usn-612-7Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA08-137A.htmlBroken Link, Third Party Advisory, US Government Resource
https://16years.secvuln.info
https://exchange.xforce.ibmcloud.com/vulnerabilities/42375Third Party Advisory, VDB Entry
https://news.ycombinator.com/item?id=40333169
https://www.exploit-db.com/exploits/5622Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/5632Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/5720Exploit, Third Party Advisory, VDB Entry
http://metasploit.com/users/hdm/tools/debian-openssl/Broken Link
http://secunia.com/advisories/30136Broken Link, Vendor Advisory
http://secunia.com/advisories/30220Broken Link, Vendor Advisory
http://secunia.com/advisories/30221Broken Link, Vendor Advisory
http://secunia.com/advisories/30231Broken Link, Vendor Advisory
http://secunia.com/advisories/30239Broken Link, Vendor Advisory
http://secunia.com/advisories/30249Broken Link, Vendor Advisory
http://sourceforge.net/mailarchive/forum.php?thread_name=48367252.7070603%40shemesh.biz&forum_name=rsyncrypto-develThird Party Advisory
http://www.debian.org/security/2008/dsa-1571Mailing List, Patch, Vendor Advisory
http://www.debian.org/security/2008/dsa-1576Mailing List, Patch
http://www.kb.cert.org/vuls/id/925211Third Party Advisory, US Government Resource
http://www.securityfocus.com/archive/1/492112/100/0/threadedBroken Link, Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/29179Broken Link, Exploit, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1020017Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/usn-612-1Patch, Third Party Advisory
http://www.ubuntu.com/usn/usn-612-2Patch, Third Party Advisory
http://www.ubuntu.com/usn/usn-612-3Third Party Advisory
http://www.ubuntu.com/usn/usn-612-4Third Party Advisory
http://www.ubuntu.com/usn/usn-612-7Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA08-137A.htmlBroken Link, Third Party Advisory, US Government Resource
https://16years.secvuln.info
https://exchange.xforce.ibmcloud.com/vulnerabilities/42375Third Party Advisory, VDB Entry
https://news.ycombinator.com/item?id=40333169
https://www.exploit-db.com/exploits/5622Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/5632Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/5720Exploit, Third Party Advisory, VDB Entry

Timeline

Published: May 13, 2008
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2008-0166?

How severe is CVE-2008-0166?

CVE-2008-0166 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 70.72% probability of exploitation in the next 30 days.

How do I fix CVE-2008-0166?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2008-0166?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST