• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: OpenSSL PRNG Internal State Disclosure Vulnerability

Severity: MODERATE

Description:

The randomness pool and associated mixing function used by the OpenSSL PRNG (pseudo-random number generator) suffer from a flaw that could enable an attacker to reconstruct the generator's internal state.

The OpenSSL generator maintains a global 1024-byte 'state' buffer (the randomness pool) along with an incrementing counter and a working hash value. The PRNG function used by OpenSSL both mixes the contents of the state buffer and produces the generator's output.

For each successive group of ten bytes (or less) of data extracted from the generator, the high ten bytes of a local buffer initialized from the global hash are hashed with ten bytes of the global state and the counter. The first ten bytes of the hash result are XOR'd back into the global state, and the remaining ten bytes are provided as the generator's output.

The flaw exists because the data quantum from the global hash used as input to the hash function is also used in the generator's output, meaning that in general it can not be considered secret. Additionally, the number of bytes used from the global state depends on the amount of PRNG output requested and could be as low as one, allowing brute-force analysis of all possible cases.

If an attacker is able to gain knowledge of the generator's state, it may be possible for that attacker to predict future results.

The impact of this vulnerability depends on the nature of the target application or protocol. It is relatively unlikely for data to be retrieved from the OpenSSL PRNG in a pattern allowing for attacks.

No vulnerable applications are currently known.

Affected Products:

• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Server 3.1.1
• Caldera OpenLinux Workstation 3.1.0
• Caldera OpenLinux Workstation 3.1.1
• Conectiva Linux 6.0.0
• Conectiva Linux 7.0.0
• Debian Linux 3.0.0
• EnGarde Secure Linux 1.0.1
• HP Secure OS software for Linux 1.0.0
• MandrakeSoft Linux Mandrake 8.0.0
• MandrakeSoft Linux Mandrake 8.0.0 ppc
• NetBSD NetBSD 1.5.0
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.5.3
• NetBSD NetBSD 1.6.0
• NetBSD NetBSD 1.6.0 Beta
• OpenBSD OpenBSD 2.6.0
• OpenBSD OpenBSD 2.9.0
• OpenPKG OpenPKG 1.0.0
• OpenSSL Project OpenSSL 0.9.1 c
• OpenSSL Project OpenSSL 0.9.2 b
• OpenSSL Project OpenSSL 0.9.3
• OpenSSL Project OpenSSL 0.9.4
• OpenSSL Project OpenSSL 0.9.5
• OpenSSL Project OpenSSL 0.9.6
• OpenSSL Project OpenSSL 0.9.6 a
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• RedHat Linux 7.0.0 alpha
• RedHat Linux 7.0.0 i386
• RedHat Linux 7.0.0 sparc
• RedHat Linux 7.1.0 alpha
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.2.0 alpha
• RedHat Linux 7.2.0 i386
• RedHat Linux 7.3.0
• RedHat Linux 7.3.0 i386
• S.u.S.E. Linux 7.1.0
• S.u.S.E. Linux 7.1.0 alpha
• S.u.S.E. Linux 7.1.0 ppc
• S.u.S.E. Linux 7.1.0 sparc
• S.u.S.E. Linux 7.2.0 i386
• SSLeay SSLeay 0.8.1
• SSLeay SSLeay 0.9.0
• SSLeay SSLeay 0.9.1
• Trustix Secure Linux 1.1.0
• Trustix Secure Linux 1.2.0
• Trustix Secure Linux 1.5.0

References:

• OpenSSL Project: OpenSSL Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.