OpenSSL Pseudo-Random Number Generator Vulnerability in Libssh
CVE-2014-0017

Currently unrated

Key Information:

Vendor: Libssh
Status: Libssh
Vendor: CVE Published:; 14 March 2014

What is CVE-2014-0017?

The RAND_bytes function in Libssh versions prior to 0.6.3 contains a vulnerability related to the OpenSSL pseudo-random number generator. When forking is enabled, the state of the PRNG is not adequately reset, leading to shared state among child processes. This oversight creates a potential risk where local users could exploit a PID collision to gain unauthorized access to sensitive information, compromising system security.

References

http://www.ubuntu.com/usn/USN-2145-1

vendor-advisoryx_refsource_UBUNTU

http://www.debian.org/security/2014/dsa-2879

vendor-advisoryx_refsource_DEBIAN

http://lists.opensuse.org/opensuse-updates/2014-03/msg000...

vendor-advisoryx_refsource_SUSE

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 14, 2014
Vulnerability Reserved
Dec 3, 2013

CVE-2014-0017 Data

JSON