CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
75.6%
The pseudorandom number generator (PRNG) in OpenSSL has a weakness that allows an attacker to determine its internal state and subsequently determine its future output values.
OpenSSL’s PRNG hashes an internal state to produce output values, which are supposed to be pseudorandom and unpredictable. Since the hash algorithms are well-known, the internal state is intended to be mostly secret to prevent attackers from guessing what the output will be. However, in versions of OpenSSL prior to 0.9.6b, the PRNG outputs a significant portion of the internal state that is used in subsequent hash computation. Knowing this portion of internal state, attackers can brute-force the PRNG with multiple 1-byte requests to discover the entire internal state used to create future output values. For more information, see the OpenSSL security advisory of 10 July 2001.
Attackers can learn in advance what output the PRNG will return. Cryptographic secrets based in supposedly random values from the PRNG will no longer be secret, since those values can be determined in advance.
Contact your operating system vendor for an update which includes OpenSSL 0.9.6b or later.
Advanced users may wish to install from source code available at:
<ftp://ftp.openssl.org/source/openssl-0.9.6b.tar.gz>
None.
131923
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: July 29, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Updated: October 25, 2001
Affected
Conectiva’s for CL 7.0 are at:
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000418&idioma=en
That page also contains links to updates for our older distros.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Updated: October 25, 2001
Affected
See <URL:``<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:51.openssl.v1.1.asc>``>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Updated: July 29, 2002
Affected
All users should upgrade to the most recent version, as outlined in
this advisory.
Guardian Digital recently made available the Guardian Digital Secure
Update, a means to proactively keep systems secure and manage
system software. EnGarde users can automatically update their system
using the Guardian Digital WebTool secure interface.
If choosing to manually upgrade this package, updates can be
obtained from:
<ftp://ftp.engardelinux.org/pub/engarde/stable/updates/>
<http://ftp.engardelinux.org/pub/engarde/stable/updates/>
Before upgrading the package, the machine must either:
a) be booted into a “standard” kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
To install the updated package, execute the command:
To reload the LIDS configuration, execute the command:
To re-enable LIDS (if it was disabled), execute the command:
To verify the signature of the updated packages, execute the command:
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Updated: October 25, 2001
Affected
NetBSD released the security advisory:
NetBSD Security Advisory 2001-013 OpenSSL PRNG weakness (up to 0.9.6a)
on August 23 detailing our solution this issue.
It may be found at:
<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-013.txt.asc>
In summary, we shipped some software which was vulnerable, but we have published a solution to the problem, and our latest shipping release (NetBSD 1.5.2) is not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Updated: October 25, 2001
Affected
See <http://www.openssl.org/news/secadv_prng.txt>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Updated: July 29, 2002
Not Affected
HP does not ship/support OpenSSL.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Updated: October 25, 2001
Not Affected
Regarding VU#131923, IBM’s AIX operating system is not vulnerable, as IBM does not include OpenSSL.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Updated: October 19, 2001
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23131923 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to the OpenSSL Project for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
CVE IDs: | CVE-2001-1141 |
---|---|
Severity Metric: | 2.60 Date Public: |