search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

OpenSSL PRNG contains design flaw that allows a user to determine internal state and predict future output

Vulnerability Note VU#131923

Original Release Date: 2001-10-26 | Last Revised: 2002-08-10

Overview

The pseudorandom number generator (PRNG) in OpenSSL has a weakness that allows an attacker to determine its internal state and subsequently determine its future output values.

Description

OpenSSL's PRNG hashes an internal state to produce output values, which are supposed to be pseudorandom and unpredictable. Since the hash algorithms are well-known, the internal state is intended to be mostly secret to prevent attackers from guessing what the output will be. However, in versions of OpenSSL prior to 0.9.6b, the PRNG outputs a significant portion of the internal state that is used in subsequent hash computation. Knowing this portion of internal state, attackers can brute-force the PRNG with multiple 1-byte requests to discover the entire internal state used to create future output values. For more information, see the OpenSSL security advisory of 10 July 2001.

Impact

Attackers can learn in advance what output the PRNG will return. Cryptographic secrets based in supposedly random values from the PRNG will no longer be secret, since those values can be determined in advance.

Solution

Contact your operating system vendor for an update which includes OpenSSL 0.9.6b or later.

Advanced users may wish to install from source code available at:

ftp://ftp.openssl.org/source/openssl-0.9.6b.tar.gz

None.

Vendor Information

131923
 
Expand all

Astaro Affected

Updated:  July 29, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Affected

Updated:  October 25, 2001

Status

Affected

Vendor Statement

Conectiva's for CL 7.0 are at:

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000418&idioma=en

That page also contains links to updates for our older distros.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Affected

Updated:  October 25, 2001

Status

Affected

Vendor Statement

See <URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:51.openssl.v1.1.asc>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Affected

Updated:  July 29, 2002

Status

Affected

Vendor Statement

All users should upgrade to the most recent version, as outlined in
this advisory.

Guardian Digital recently made available the Guardian Digital Secure
Update, a means to proactively keep systems secure and manage
system software. EnGarde users can automatically update their system
using the Guardian Digital WebTool secure interface.

If choosing to manually upgrade this package, updates can be
obtained from:

ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/

Before upgrading the package, the machine must either:

a) be booted into a "standard" kernel; or
b) have LIDS disabled.

To disable LIDS, execute the command:

# /sbin/lidsadm -S -- -LIDS_GLOBAL

To install the updated package, execute the command:

# rpm -Uvh <filename>

To reload the LIDS configuration, execute the command:

# /usr/sbin/config_lids.pl

To re-enable LIDS (if it was disabled), execute the command:

# /sbin/lidsadm -S -- +LIDS_GLOBAL

To verify the signature of the updated packages, execute the command:

# rpm -Kv <filename>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Affected

Updated:  October 25, 2001

Status

Affected

Vendor Statement

NetBSD released the security advisory:


NetBSD Security Advisory 2001-013 OpenSSL PRNG weakness (up to 0.9.6a)

on August 23 detailing our solution this issue.

It may be found at:


In summary, we shipped some software which was vulnerable, but we have published a solution to the problem, and our latest shipping release (NetBSD 1.5.2) is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSL Affected

Updated:  October 25, 2001

Status

Affected

Vendor Statement

See http://www.openssl.org/news/secadv_prng.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Not Affected

Updated:  July 29, 2002

Status

Not Affected

Vendor Statement

HP does not ship/support OpenSSL.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Not Affected

Updated:  October 25, 2001

Status

Not Affected

Vendor Statement

Regarding VU#131923, IBM's AIX operating system is not vulnerable, as IBM does not include OpenSSL.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Unknown

Updated:  October 19, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to the OpenSSL Project for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: CVE-2001-1141
Severity Metric: 2.60
Date Public: 2000-07-10
Date First Published: 2001-10-26
Date Last Updated: 2002-08-10 19:26 UTC
Document Revision: 11

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis