Published: 24/03/2014 Updated: 26/01/2017

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

stunnel prior to 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote malicious users to obtain private keys for EC (ECDSA) or DSA certificates.

Vulnerable Product	Search on Vulmon	Subscribe to Product
stunnel stunnel 4.53
stunnel stunnel 4.51
stunnel stunnel 4.46
stunnel stunnel 4.44
stunnel stunnel 4.37
stunnel stunnel 4.35
stunnel stunnel 4.28
stunnel stunnel 4.26
stunnel stunnel 4.21
stunnel stunnel 4.19
stunnel stunnel 4.17
stunnel stunnel 4.12
stunnel stunnel 4.10
stunnel stunnel 4.03
stunnel stunnel 4.01
stunnel stunnel 3.8p3
stunnel stunnel 3.8p1
stunnel stunnel 3.8
stunnel stunnel 3.6
stunnel stunnel 3.4a
stunnel stunnel 3.21c
stunnel stunnel 3.21a
stunnel stunnel 3.18
stunnel stunnel 3.16
stunnel stunnel 3.14
stunnel stunnel 3.1
stunnel stunnel 3.0
stunnel stunnel 2.1
stunnel stunnel 1.6
stunnel stunnel 0.1
stunnel stunnel
stunnel stunnel 4.50
stunnel stunnel 4.49
stunnel stunnel 4.48
stunnel stunnel 4.47
stunnel stunnel 4.33
stunnel stunnel 4.32
stunnel stunnel 4.31
stunnel stunnel 4.30
stunnel stunnel 4.16
stunnel stunnel 4.15
stunnel stunnel 4.14
stunnel stunnel 4.13
stunnel stunnel 4.00
stunnel stunnel 4.0
stunnel stunnel 3.9
stunnel stunnel 3.8p4
stunnel stunnel 3.26
stunnel stunnel 3.25
stunnel stunnel 3.24
stunnel stunnel 3.23
stunnel stunnel 3.13
stunnel stunnel 3.12
stunnel stunnel 3.11
stunnel stunnel 3.10
stunnel stunnel 1.5
stunnel stunnel 1.4
stunnel stunnel 1.3
stunnel stunnel 1.2
stunnel stunnel 1.1
stunnel stunnel 4.42
stunnel stunnel 4.41
stunnel stunnel 4.40
stunnel stunnel 4.39
stunnel stunnel 4.38
stunnel stunnel 4.25
stunnel stunnel 4.24
stunnel stunnel 4.23
stunnel stunnel 4.22
stunnel stunnel 4.08
stunnel stunnel 4.07
stunnel stunnel 4.06
stunnel stunnel 4.05
stunnel stunnel 3.7
stunnel stunnel 3.21
stunnel stunnel 3.20
stunnel stunnel 3.2
stunnel stunnel 3.19
stunnel stunnel 4.54
stunnel stunnel 4.52
stunnel stunnel 4.45
stunnel stunnel 4.43
stunnel stunnel 4.36
stunnel stunnel 4.34
stunnel stunnel 4.29
stunnel stunnel 4.27
stunnel stunnel 4.20
stunnel stunnel 4.18
stunnel stunnel 4.11
stunnel stunnel 4.09
stunnel stunnel 4.04
stunnel stunnel 4.02
stunnel stunnel 3.8p2
stunnel stunnel 3.5
stunnel stunnel 3.3
stunnel stunnel 3.22
stunnel stunnel 3.21b
stunnel stunnel 3.17
stunnel stunnel 3.15
stunnel stunnel 2.0
stunnel stunnel 1.0
stunnel stunnel 4.55

stunnel before 500, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates ...

CWE-332 https://www.stunnel.org/sdf_ChangeLog.html https://bugzilla.redhat.com/attachment.cgi?id=870826&action=diff http://www.openwall.com/lists/oss-security/2014/03/05/1 https://bugzilla.redhat.com/show_bug.cgi?id=1072180 http://www.securityfocus.com/bid/65964 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-0016

Get Started

CVE-2014-0016

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect