Detections
Analytics

FreeBSD : libssh -- PRNG state reuse on forking servers (f8c88d50-5fb3-11e4-81bd-5453ed2e2b49)

low Nessus Plugin ID 78730

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Aris Adamantiadis reports :

When accepting a new connection, the server forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but simply adds the current process id (getpid) to the PRNG state, which is not guaranteed to be unique.

Solution

Update the affected package.

See Also

https://www.openwall.com/lists/oss-security/2014/03/05/1

http://www.nessus.org/u?d21b1031

Plugin Details

Severity: Low

ID: 78730

File Name: freebsd_pkg_f8c88d505fb311e481bd5453ed2e2b49.nasl

Version: 1.5

Type: local

Published: 10/30/2014

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Low

Base Score: 1.9

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:libssh, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 10/29/2014

Vulnerability Publication Date: 3/5/2014

Reference Information

CVE: CVE-2014-0017

Secunia: 57407