what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenSSL Security Advisory 20071129

OpenSSL Security Advisory 20071129
Posted Nov 29, 2007
Site openssl.org

OpenSSL Security Advisory 20071129 - A significant flaw in the PRNG implementation for the OpenSSL FIPS Object Module v1.1.1 has been reported by Geoff Lowe of Secure Computing Corporation.

tags | advisory
advisories | CVE-2007-5502
SHA-256 | 1c6d80ff4b28bba5c1b355562c19037b83fb6a0a696bebe74ae47f91c3eb5f75

OpenSSL Security Advisory 20071129

Change Mirror Download
OpenSSL Security Advisory [29-Nov-2007]

OpenSSL FIPS Object Module Vulnerabilities
------------------------------------------

A significant flaw in the PRNG implementation for the OpenSSL FIPS Object
Module v1.1.1 (https://www.openssl.org/source/openssl-fips-1.1.1.tar.gz, FIPS
140-2 validation certificate #733,
https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733) has
been reported by Geoff Lowe of Secure Computing Corporation. Due to a coding
error in the FIPS self-test the auto-seeding never takes place. That means
that the PRNG key and seed used correspond to the last self-test. The FIPS
PRNG gets additional seed data only from date-time information, so the
generated random data is far more predictable than it should be, especially
for the first few calls.

This vulnerability is tracked as CVE-2007-5502.

Versions Affected
-----------------

OpenSSL FIPS Object Module v1.1.1 only. Only those applications using this
specific version of the OpenSSL FIPS Object Module which enter FIPS mode are
affected. Applications which do not enter FIPS mode or which use any other
version of OpenSSL are not affected. The OpenSSL FIPS Object Module v1.2 now
undergoing validation testing is not affected.

Recommendations
---------------

Wait for official approval of a patched distribution.

For reference purposes the patches

https://www.openssl.org/news/patch-CVE-2007-5502-1.txt

(the simplest direct fix) and:

https://www.openssl.org/news/patch-CVE-2007-5502-2.txt

(a workaround which avoids touching the PRNG code directly) demonstrate two
different fixes that independently address the vulnerability. However, for
FIPS 140-2 validated software no changes are permitted without prior official
approval so these patches cannot be applied to the v1.1.1 distribution for
the purposes of producing a validated module.

The vendor of record for the FIPS validation, the Open Source Software
Institute (OSSI), has supplied the information needed for a "letter change"
update request based on the latter of these two patches to the FIPS 140-2
test lab to be submitted for official approval. Once (and if) approved the
new distribution containing this patch will be posted as
https://www.openssl.org/source/openssl-fips-1.1.2.tar.gz. The timeline for this
approval is presently unknown.


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close