Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2001-0950

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2001-0950
Last Modified 05 Sep 2008 04:25:18
Published 04 Dec 2001 12:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2001-0950

Summary

ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing.

Vulnerable Systems

Application

  • Valicert Enterprise Validation Authority 3.3

  • Valicert Enterprise Validation Authority 3.4

  • Valicert Enterprise Validation Authority 3.5

  • Valicert Enterprise Validation Authority 3.6

  • Valicert Enterprise Validation Authority 3.7

  • Valicert Enterprise Validation Authority 3.8

  • Valicert Enterprise Validation Authority 3.9

  • Valicert Enterprise Validation Authority 4.0

  • Valicert Enterprise Validation Authority 4.1

  • Valicert Enterprise Validation Authority 4.2

  • Valicert Enterprise Validation Authority 4.2.1


References

XF - eva-insecure-key-generation(7653)

XF - eva-insecure-key-storage(7651)

BID - 3620

BID - 3618

CONFIRM - http://www.valicert.com/support/security_advisory_eva.html

BUGTRAQ - 20011204 NMRC Advisory - Multiple Valicert Problems


Last Updated: 27 May 2016 10:36:28