SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   nCipher Hardware Security Module Vendors:   nCipher
nCipher Cryptographic Hardware Interface Library (CHIL) Discloses Random Cache to Forked Processes
SecurityTracker Alert ID:  1014441
SecurityTracker URL:  http://securitytracker.com/id/1014441
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Aug 2 2005
Original Entry Date:  Jul 11 2005
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Host/resource access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the nCipher Cryptographic Hardware Interface Library (CHIL). The random cache is not properly cleared for forked processes. The impact depends on the application using CHIL.

When a multi-threaded application that uses the CHIL libhwcrhk HWCryptoHook_RandomBytes() function in a component that forks a process, the function may provide the identical random data to all forked child processes for a short period of time. The child processes may inherit the same cached results of the GenerateRandom command.

Host-side software may be affected. For example, a web server that uses CHIL to generate random data via OpenSSL may generate duplicate SSL session IDs for a short period of time. In this example, this may cause SSL handshakes to fail.

The specific impact of this vulnerability depends on the application that uses the affected library.

Users can run the 'ncversions' command to look for lines that specify 'hwcrhk' to determine if they are affected. Versions prior to 1.9.7 are affected.

[Editor's note: This vulnerability resides in nCipher application software and not in the firmware/hardware.]

Impact:   The impact depends on the application using CHIL.
Solution:   The vendor has issued a software fix, available from nCipher Support.
Vendor URL:  www.ncipher.com/support/advisories/advisory11.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC