FreeBSD Alpha Port Lack Of /dev/random and /dev/urandom Vulnerability
BID:1340
Info
FreeBSD Alpha Port Lack Of /dev/random and /dev/urandom Vulnerability
| Bugtraq ID: | 1340 |
| Class: | Configuration Error |
| CVE: |
CVE-2000-0535 |
| Remote: | No |
| Local: | No |
| Published: | Jun 12 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | First made public in FreeBSD advisory FreeBSD-SA-00:25 on June 12, 2000. |
| Vulnerable: |
FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 4.0 alpha |
| Not Vulnerable: | |
Discussion
FreeBSD Alpha Port Lack Of /dev/random and /dev/urandom Vulnerability
Distributions of FreeBSD for the Alpha architecture shipped without the /dev/random and /dev/urandom devices. These devices can be used by products and tools to gather entropy for generating cryptographically strong random numbers. Software that does not detect whether opening and reading from the devices fails or not before generating these random numbers may be vulnerable to simplified cryptanalysis against the weakened keys that would be produced. OpenSSL version 0.9.4 and OpenSSH both lacked checks and were vulnerable to this problem.
Distributions of FreeBSD for the Alpha architecture shipped without the /dev/random and /dev/urandom devices. These devices can be used by products and tools to gather entropy for generating cryptographically strong random numbers. Software that does not detect whether opening and reading from the devices fails or not before generating these random numbers may be vulnerable to simplified cryptanalysis against the weakened keys that would be produced. OpenSSL version 0.9.4 and OpenSSH both lacked checks and were vulnerable to this problem.