OpenSSL < 0.9.5a /dev/random Check Failure

medium Nessus Plugin ID 17707

Synopsis

The remote host uses a version of OpenSSL that may have weak encryption keys.

Description

According to its banner, the version of OpenSSL running on the remote host is less than 0.9.5a. On a FreeBSD system running on the Alpha architecture, versions earlier than that may not use the /dev/random and /dev/urandom devices to provide a strong source of cryptographic entropy, which could lead to the generation of keys with weak cryptographic strength.

Solution

Upgrade OpenSSL to version 0.9.5a or higher and re-generate encryption keys.

See Also

http://cvs.openssl.org/fileview?f=openssl/CHANGES&v=1.514

http://www.nessus.org/u?16bc8320

Plugin Details

Severity: Medium

ID: 17707

File Name: openssl_0_9_5a.nasl

Version: 1.7

Type: remote

Family: Web Servers

Published: 11/18/2011

Updated: 7/17/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: cpe:/a:openssl:openssl

Required KB Items: Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 5/10/2010

Vulnerability Publication Date: 6/12/2010

Reference Information

CVE: CVE-2000-0535

BID: 1340