CVE-2014-0017

Gentoo Linux Security Advisory 201408-03

Severity Score

4.7

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision.

La función RAND_bytes en libssh anterior a 0.6.3, cuando la creación de procesos (“forking”) está habilitada, no restablece debidamente el estado del generador de números pseudo-aleatorios OpenSSL (PRNG), lo que causa que el estado se comparte entre procesos de niños y permite a usuarios locales obtener información sensible mediante el aprovechamiento de una colisión pid.

When using libssh before 0.6.3, a libssh-based server, when accepting a new connection, forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but simply adds the current process id to the PRNG state, which is not guaranteed to be unique. The most important consequence is that servers using EC or DSA certificates may under certain conditions leak their private key. Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-12-03 CVE Reserved
2014-03-12 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-310: Cryptographic Issues

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2014/03/05/1	Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=1072191	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release	2014-03-26

URL	Date	SRC
http://lists.opensuse.org/opensuse-updates/2014-03/msg00036.html	2014-03-26
http://lists.opensuse.org/opensuse-updates/2014-03/msg00040.html	2014-03-26
http://secunia.com/advisories/57407	2014-03-26
http://www.debian.org/security/2014/dsa-2879	2014-03-26
http://www.ubuntu.com/usn/USN-2145-1	2014-03-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				<= 0.6.2 Search vendor "Libssh" for product "Libssh" and version " <= 0.6.2"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.4.7 Search vendor "Libssh" for product "Libssh" and version "0.4.7"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.4.8 Search vendor "Libssh" for product "Libssh" and version "0.4.8"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.5.0 Search vendor "Libssh" for product "Libssh" and version "0.5.0"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.5.0 Search vendor "Libssh" for product "Libssh" and version "0.5.0"		rc1		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.5.1 Search vendor "Libssh" for product "Libssh" and version "0.5.1"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.5.2 Search vendor "Libssh" for product "Libssh" and version "0.5.2"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.5.3 Search vendor "Libssh" for product "Libssh" and version "0.5.3"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.5.4 Search vendor "Libssh" for product "Libssh" and version "0.5.4"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.5.5 Search vendor "Libssh" for product "Libssh" and version "0.5.5"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.6.0 Search vendor "Libssh" for product "Libssh" and version "0.6.0"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				0.6.1 Search vendor "Libssh" for product "Libssh" and version "0.6.1"		-		Affected