FreeBSD : libssh -- PRNG state reuse on forking servers (f8c88d50-5fb3-11e4-81bd-5453ed2e2b49)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Aris Adamantiadis reports :

When accepting a new connection, the server forks and the child
process handles the request. The RAND_bytes() function of openssl
doesn't reset its state after the fork, but simply adds the current
process id (getpid) to the PRNG state, which is not guaranteed to be
unique.

See also :

http://www.openwall.com/lists/oss-security/2014/03/05/1
http://www.nessus.org/u?383e8e32

Solution :

Update the affected package.

Risk factor :

Low / CVSS Base Score : 1.9
(CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 78730 ()

Bugtraq ID:

CVE ID: CVE-2014-0017

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now