Vulnerability Note VU#178990
Erlang/OTP SSH library uses a weak random number generator
The Erlang/OTP SSH library's random number generator is not cryptographically strong because it relies on predictable seed material.
Geoff Cant's report states:
The Erlang/OTP ssh library implements a number of cryptographic operations that depend on cryptographically strong random numbers. Unfortunately the RNG used by the library is not cryptographically strong, and is further weakened by the use of predictable seed material. The RNG (Wichman-Hill) is not mixed with an entropy source.
An attacker can recover SSH session keys and DSA host keys.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Ericsson||Affected||-||22 Apr 2011|
CVSS Metrics (Learn More)
Thanks to Geoff Cant for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2011-0766
- Date Public: 25 May 2011
- Date First Published: 25 May 2011
- Date Last Updated: 25 May 2011
- Severity Metric: 2.74
- Document Revision: 14
If you have feedback, comments, or additional information about this vulnerability, please send us email.