Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-0016

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2014-0016
Last Modified 24 Mar 2014 06:28:07
Published 24 Mar 2014 12:31:08
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-0016

Summary

stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates.

Vulnerable Systems

Application

  • Stunnel 0.1

  • Stunnel 1.0

  • Stunnel 1.1

  • Stunnel 1.2

  • Stunnel 1.3

  • Stunnel 1.4

  • Stunnel 1.5

  • Stunnel 1.6

  • Stunnel 2.0

  • Stunnel 2.1

  • Stunnel 3.0

  • Stunnel 3.1

  • Stunnel 3.10

  • Stunnel 3.11

  • Stunnel 3.12

  • Stunnel 3.13

  • Stunnel 3.14

  • Stunnel 3.15

  • Stunnel 3.16

  • Stunnel 3.17

  • Stunnel 3.18

  • Stunnel 3.19

  • Stunnel 3.2

  • Stunnel 3.20

  • Stunnel 3.21

  • Stunnel 3.21a

  • Stunnel 3.21b

  • Stunnel 3.21c

  • Stunnel 3.22

  • Stunnel 3.23

  • Stunnel 3.24

  • Stunnel 3.25

  • Stunnel 3.26

  • Stunnel 3.3

  • Stunnel 3.4a

  • Stunnel 3.5

  • Stunnel 3.6

  • Stunnel 3.7

  • Stunnel 3.8

  • Stunnel 3.8p1

  • Stunnel 3.8p2

  • Stunnel 3.8p3

  • Stunnel 3.8p4

  • Stunnel 3.9

  • Stunnel 4.0

  • Stunnel 4.00

  • Stunnel 4.01

  • Stunnel 4.02

  • Stunnel 4.03

  • Stunnel 4.04

  • Stunnel 4.05

  • Stunnel 4.06

  • Stunnel 4.07

  • Stunnel 4.08

  • Stunnel 4.09

  • Stunnel 4.10

  • Stunnel 4.11

  • Stunnel 4.12

  • Stunnel 4.13

  • Stunnel 4.14

  • Stunnel 4.15

  • Stunnel 4.16

  • Stunnel 4.17

  • Stunnel 4.18

  • Stunnel 4.19

  • Stunnel 4.20

  • Stunnel 4.21

  • Stunnel 4.22

  • Stunnel 4.23

  • Stunnel 4.24

  • Stunnel 4.25

  • Stunnel 4.26

  • Stunnel 4.27

  • Stunnel 4.28

  • Stunnel 4.29

  • Stunnel 4.30

  • Stunnel 4.31

  • Stunnel 4.32

  • Stunnel 4.33

  • Stunnel 4.34

  • Stunnel 4.35

  • Stunnel 4.36

  • Stunnel 4.37

  • Stunnel 4.38

  • Stunnel 4.39

  • Stunnel 4.40

  • Stunnel 4.41

  • Stunnel 4.42

  • Stunnel 4.43

  • Stunnel 4.44

  • Stunnel 4.45

  • Stunnel 4.46

  • Stunnel 4.47

  • Stunnel 4.48

  • Stunnel 4.49

  • Stunnel 4.50

  • Stunnel 4.51

  • Stunnel 4.52

  • Stunnel 4.53

  • Stunnel 4.54

  • Stunnel 4.55

  • Stunnel 4.56


References

CONFIRM - https://www.stunnel.org/sdf_ChangeLog.html

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1072180

MISC - https://bugzilla.redhat.com/attachment.cgi?id=870826&action=diff

MLIST - [oss-security] 20140305 libssh and stunnel PRNG flaws


Last Updated: 27 May 2016 11:04:45