CVE-2001-1141
CVSS5.0
发布时间 :2001-07-10 00:00:00
修订时间 :2008-09-05 16:25:47
NMCO    

[原文]The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.


[CNNVD]SSLeay和OpenSSL漏洞(CNNVD-200107-064)

        SSLeay和OpenSSL 0.9.6b之前版本中的Pseudo-Random Number Generator (PRNG)存在漏洞。攻击者可以使用超小PRNG请求的输出来确定内部状态信息,该漏洞可能被攻击者使用来预测未来的伪随机数。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:openssl:openssl:0.9.4OpenSSL Project OpenSSL 0.9.4
cpe:/a:ssleay:ssleay:0.9
cpe:/a:openssl:openssl:0.9.6aOpenSSL Project OpenSSL 0.9.6a
cpe:/a:openssl:openssl:0.9.5OpenSSL Project OpenSSL 0.9.5
cpe:/a:openssl:openssl:0.9.6OpenSSL Project OpenSSL 0.9.6
cpe:/a:openssl:openssl:0.9.3OpenSSL Project OpenSSL 0.9.3
cpe:/a:ssleay:ssleay:0.8.1
cpe:/a:ssleay:ssleay:0.9.1
cpe:/a:openssl:openssl:0.9.1cOpenSSL Project OpenSSL 0.9.1c
cpe:/a:openssl:openssl:0.9.2bOpenSSL Project OpenSSL 0.9.2b

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1141
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1141
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-064
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6823.php
(VENDOR_ADVISORY)  XF  openssl-prng-brute-force(6823)
http://www.securityfocus.com/bid/3004
(VENDOR_ADVISORY)  BID  3004
http://www.securityfocus.com/archive/1/195829
(VENDOR_ADVISORY)  BUGTRAQ  20010710 OpenSSL Security Advisory: PRNG weakness in versions up to 0.9.6a
http://www.redhat.com/support/errata/RHSA-2001-051.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2001:051
http://www.securityfocus.com/advisories/3475
(UNKNOWN)  FREEBSD  FreeBSD-SA-01:51
http://www.osvdb.org/853
(UNKNOWN)  OSVDB  853
http://www.linuxsecurity.com/advisories/other_advisory-1483.html
(UNKNOWN)  ENGARDE  ESA-20010709-01
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-065.php3?dis=8.0
(UNKNOWN)  MANDRAKE  MDKSA-2001:065
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000418
(UNKNOWN)  CONECTIVA  CLA-2001:418
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-013.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2001-013

- 漏洞信息

SSLeay和OpenSSL漏洞
中危 未知
2001-07-10 00:00:00 2006-09-21 00:00:00
远程  
        SSLeay和OpenSSL 0.9.6b之前版本中的Pseudo-Random Number Generator (PRNG)存在漏洞。攻击者可以使用超小PRNG请求的输出来确定内部状态信息,该漏洞可能被攻击者使用来预测未来的伪随机数。

- 公告与补丁

        

- 漏洞信息

853
OpenSSL PRNG Information Disclosure
Local Access Required, Remote / Network Access Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

The pseudo-random number generator (PRNG) in OpenSSL contains a cryptographic design error, such that retrieving the output of a few hundred consecutive short PRNG requests enables attacker prediction of PRNG internal state. In turn, this allows the attacker to predict the subsequent PRNG output, significantly weakening the strength of the encryption. This problem originated in SSLeay and its derivative toolkits, of which OpenSSL is one.

- 时间线

2001-07-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.9.6b or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch for versions of OpenSSL from 0.9.5 to 0.9.6a. Versions prior to 0.9.5 must upgrade.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站