Joshua Chamas Crypt::SSLeay Perl Module Insecure Entropy Source Vulnerability
BID:13471
Info
Joshua Chamas Crypt::SSLeay Perl Module Insecure Entropy Source Vulnerability
| Bugtraq ID: | 13471 |
| Class: | Design Error |
| CVE: |
CVE-2005-0106 |
| Remote: | No |
| Local: | Yes |
| Published: | May 03 2005 12:00AM |
| Updated: | Aug 24 2006 10:59PM |
| Credit: | Javier Fernandez-Sanguino Pena is credited with the discovery of this issue. |
| Vulnerable: |
Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 10.2 x86_64 Mandriva Linux Mandrake 10.2 Mandriva Linux Mandrake 10.1 x86_64 Mandriva Linux Mandrake 10.1 Mandriva Linux Mandrake 10.0 AMD64 Mandriva Linux Mandrake 10.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 Joshua Chamas Crypt::SSLeay 0.51 Joshua Chamas Crypt::SSLeay 1.25 |
| Not Vulnerable: | |
Discussion
Joshua Chamas Crypt::SSLeay Perl Module Insecure Entropy Source Vulnerability
Crypt::SSLeay is prone to a security vulnerability. Reports indicate that the library employs a file from a world-writable location for its fallback entropy source. The module defaults to this file if a proper entropy source is not set.
If the affected library is using the insecure file as a source of entropy, a local attacker may replace the contents of the file with known text. This known text is then employed to seed cryptographic operations. This may lead to weak cryptographic operations.
Crypt::SSLeay is prone to a security vulnerability. Reports indicate that the library employs a file from a world-writable location for its fallback entropy source. The module defaults to this file if a proper entropy source is not set.
If the affected library is using the insecure file as a source of entropy, a local attacker may replace the contents of the file with known text. This known text is then employed to seed cryptographic operations. This may lead to weak cryptographic operations.
Exploit / POC
Joshua Chamas Crypt::SSLeay Perl Module Insecure Entropy Source Vulnerability
No exploit is required.
No exploit is required.
Solution / Fix
Joshua Chamas Crypt::SSLeay Perl Module Insecure Entropy Source Vulnerability
Solution:
Please see the referenced advisories for further information:
- Ubuntu Linux has released advisory USN-113-1 to address this issue.
- Mandriva has released advisory MDKSA-2006:023 to address this issue.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] mailto:[email protected]:[email protected].
Joshua Chamas Crypt::SSLeay 1.25
Joshua Chamas Crypt::SSLeay 0.51
Solution:
Please see the referenced advisories for further information:
- Ubuntu Linux has released advisory USN-113-1 to address this issue.
- Mandriva has released advisory MDKSA-2006:023 to address this issue.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] mailto:[email protected]:[email protected].
Joshua Chamas Crypt::SSLeay 1.25
-
Mandriva perl-Net_SSLeay-1.25-4.1.101mdk.i586.rpm
Mandriva Linux 10.1:
http://wwwnew.mandriva.com/en/downloads/ -
Mandriva perl-Net_SSLeay-1.25-4.1.101mdk.x86_64.rpm
Mandriva Linux 10.1:
http://wwwnew.mandriva.com/en/downloads/ -
Mandriva perl-Net_SSLeay-1.25-4.1.102mdk.i586.rpm
Mandriva Linux 10.2:
http://wwwnew.mandriva.com/en/downloads/ -
Mandriva perl-Net_SSLeay-1.25-4.1.102mdk.x86_64.rpm
Mandriva Linux 10.2:
http://wwwnew.mandriva.com/en/downloads/ -
Mandriva perl-Net_SSLeay-1.25-4.1.20060mdk.i586.rpm
Mandriva Linux 2006.0:
http://wwwnew.mandriva.com/en/downloads/ -
Mandriva perl-Net_SSLeay-1.25-4.1.20060mdk.x86_64.rpm
Mandriva Linux 2006.0:
http://wwwnew.mandriva.com/en/downloads/ -
Mandriva perl-Net_SSLeay-1.25-4.1.C30mdk.i586.rpm
Corporate 3.0:
http://wwwnew.mandriva.com/en/downloads/ -
Mandriva perl-Net_SSLeay-1.25-4.1.C30mdk.x86_64.rpm
Corporate 3.0:
http://wwwnew.mandriva.com/en/downloads/
Joshua Chamas Crypt::SSLeay 0.51
-
Ubuntu libnet-ssleay-perl_1.25-1ubuntu0.2_amd64.deb
Ubuntu 5.04 (Hoary Hedgehog)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/li bnet-ssleay-perl_1.25-1ubuntu0.2_amd64.deb -
Ubuntu libnet-ssleay-perl_1.25-1ubuntu0.2_i386.deb
Ubuntu 5.04 (Hoary Hedgehog)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/li bnet-ssleay-perl_1.25-1ubuntu0.2_i386.deb -
Ubuntu libnet-ssleay-perl_1.25-1ubuntu0.2_powerpc.deb
Ubuntu 5.04 (Hoary Hedgehog)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/li bnet-ssleay-perl_1.25-1ubuntu0.2_powerpc.deb
References
Joshua Chamas Crypt::SSLeay Perl Module Insecure Entropy Source Vulnerability
References:
References: