OpenSSL FIPS Object Module Self-Test Error Causes the System to Generate More Predictable Pseudo Random Data
|
|
SecurityTracker Alert ID: 1019029
|
|
SecurityTracker URL: http://securitytracker.com/id?1019029
|
|
CVE Reference: CVE-2007-5502
(Links to External Site)
|
Date: Nov 30 2007
|
Impact: Modification of system information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): FIPS Object Module v1.1.1 only
|
Description: A vulnerability was reported in OpenSSL in the FIPS Object Module. The PRNG is not properly seeded.
Auto-seeding does not occur due to an error in the FIPS self-test. As a result, the system generates pseudo random data that is more predictable than intended.
Geoff Lowe of Secure Computing Corporation reported this vulnerability.
|
Impact: The system generates pseudo random data that is more predictable than intended.
|
Solution: The vendor plans to issue a fixed version of the FIPS Object Module (1.2), currently undergoing FIPS validation. The fix will be
available at:
http://openssl.org/source/openssl-fips-1.1.2.tar.gz
Two different interim patches are available:
http://www.openssl.org/news/patch-CVE-2007-5502-1.
txt
http://www.openssl.org/news/patch-CVE-2007-5502-2.txt
The OpenSSL advisory is available at:
http://openssl.org/news/secadv_20071129.txt
|
Vendor URL: openssl.org/news/secadv_20071129.txt (Links to External Site)
|
Cause: Randomization error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 30 Nov 2007 08:22:51 -0500
Subject: OpenSSL
|
http://openssl.org/news/secadv_20071129.txt
OpenSSL Security Advisory [29-Nov-2007]
OpenSSL FIPS Object Module Vulnerabilities
------------------------------------------
A significant flaw in the PRNG implementation for the OpenSSL FIPS Object
Module v1.1.1 (http://openssl.org/source/openssl-fips-1.1.1.tar.gz, FIPS
140-2 validation certificate #733,
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733) has
been reported by Geoff Lowe of Secure Computing Corporation. Due to a coding
error in the FIPS self-test the auto-seeding never takes place. That means
that the PRNG key and seed used correspond to the last self-test. The FIPS
PRNG gets additional seed data only from date-time information, so the
generated random data is far more predictable than it should be, especially
for the first few calls.
This vulnerability is tracked as CVE-2007-5502.
Versions Affected
-----------------
OpenSSL FIPS Object Module v1.1.1 only. Only those applications using this
specific version of the OpenSSL FIPS Object Module which enter FIPS mode are
affected. Applications which do not enter FIPS mode or which use any other
version of OpenSSL are not affected. The OpenSSL FIPS Object Module v1.2 now
undergoing validation testing is not affected.
Recommendations
---------------
Wait for official approval of a patched distribution.
For reference purposes the patches
http://www.openssl.org/news/patch-CVE-2007-5502-1.txt
(the simplest direct fix) and:
http://www.openssl.org/news/patch-CVE-2007-5502-2.txt
(a workaround which avoids touching the PRNG code directly) demonstrate two
different fixes that independently address the vulnerability. However, for
FIPS 140-2 validated software no changes are permitted without prior official
approval so these patches cannot be applied to the v1.1.1 distribution for
the purposes of producing a validated module.
The vendor of record for the FIPS validation, the Open Source Software
Institute (OSSI), has supplied the information needed for a "letter change"
update request based on the latter of these two patches to the FIPS 140-2
test lab to be submitted for official approval. Once (and if) approved the
new distribution containing this patch will be posted as
http://openssl.org/source/openssl-fips-1.1.2.tar.gz. The timeline for this
approval is presently unknown.
|
|
