|
|
|
 |
Vulnerability Note VU#150249OpenSSL FIPS Object Module fails to properly generate random seedsOverviewThe OpenSSL FIPS Module fails to perform auto-seeding, which may allow an attacker to predict pseudo-randomly generated data.I. DescriptionOpenSSL is a toolkit that provides SSL and TLS protocols as well as a general purpose cryptography library. The OpenSSL FIPS Object Module provides an API for invoking FIPS-approved cryptographic functions. The OpenSSL FIPS Module fails to properly perform auto-seeding during the FIPS self-test. This causes the PRNG key and seed to correspond to the last self-test. The FIPS PRNG gets additional seed data from the date-time information only.II. ImpactAn attacker may be able to predict pseudo-randomly generated data from OpenSSL. This can weaken the protection provided by OpenSSL's cryptography.III. SolutionWait for an approved patched distributionThis vulnerability is described in OpenSSL Security Advisory [29-Nov-2007]. This advisory describes the patches that demonstrate two different fixes for the vulnerability. However, FIPS 140-2 validation must be performed before the fixes can be incorporated into a validated module.
References
This vulnerability was reported by Geoff Lowe of Secure Computing Corporation. This document was written by Will Dormann.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
Get Adobe Reader