Overview
The pseudorandom number generator (PRNG) in OpenSSL has a weakness that allows an attacker to determine its internal state and subsequently determine its future output values.
Description
OpenSSL's PRNG hashes an internal state to produce output values, which are supposed to be pseudorandom and unpredictable. Since the hash algorithms are well-known, the internal state is intended to be mostly secret to prevent attackers from guessing what the output will be. However, in versions of OpenSSL prior to 0.9.6b, the PRNG outputs a significant portion of the internal state that is used in subsequent hash computation. Knowing this portion of internal state, attackers can brute-force the PRNG with multiple 1-byte requests to discover the entire internal state used to create future output values. For more information, see the OpenSSL security advisory of 10 July 2001. |
Impact
Attackers can learn in advance what output the PRNG will return. Cryptographic secrets based in supposedly random values from the PRNG will no longer be secret, since those values can be determined in advance. |
Solution
Contact your operating system vendor for an update which includes OpenSSL 0.9.6b or later. Advanced users may wish to install from source code available at: |
None. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to the OpenSSL Project for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
| CVE IDs: | CVE-2001-1141 |
| Severity Metric: | 2.60 |
| Date Public: | 2000-07-10 |
| Date First Published: | 2001-10-26 |
| Date Last Updated: | 2002-08-10 19:26 UTC |
| Document Revision: | 11 |