CVE-2007-5502 - OpenCVE

The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does not perform auto-seeding during the FIPS self-test, which generates random data that is more predictable than expected and makes it easier for attackers to bypass protection mechanisms that rely on the randomness.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openssl	Fips Object Module

Configuration 1 [-]

cpe:2.3:a:openssl:fips_object_module:1.1.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://secunia.com/advisories/27859
http://www.kb.cert.org/vuls/id/150249
http://www.openssl.org/news/secadv_20071129.txt
http://www.securityfocus.com/bid/26652
http://www.securitytracker.com/id?1019029
http://www.vupen.com/english/advisories/2007/4044
https://exchange.xforce.ibmcloud.com/vulnerabilities/38796
https://nvd.nist.gov/vuln/detail/CVE-2007-5502
https://www.cve.org/CVERecord?id=CVE-2007-5502

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2007-12-01T02:00:00

Updated: 2024-08-07T15:31:58.603Z

Reserved: 2007-10-17T00:00:00

Link: CVE-2007-5502

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-12-01T06:46:00.000

Modified: 2017-07-29T01:33:43.163

Link: CVE-2007-5502

Redhat

Severity : Moderate

Publid Date: 2007-11-29T00:00:00Z

Links: CVE-2007-5502 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-11-30T00:00:00", "descriptions": [{"lang": "en", "value": "The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does not perform auto-seeding during the FIPS self-test, which generates random data that is more predictable than expected and makes it easier for attackers to bypass protection mechanisms that rely on the randomness."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "ADV-2007-4044", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/4044"}, {"name": "26652", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/26652"}, {"name": "1019029", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1019029"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.openssl.org/news/secadv_20071129.txt"}, {"name": "27859", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27859"}, {"name": "openssl-fips-prng-security-bypass(38796)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38796"}, {"name": "VU#150249", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/150249"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T15:31:58.603Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2007-4044", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/4044"}, {"name": "26652", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/26652"}, {"name": "1019029", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1019029"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.openssl.org/news/secadv_20071129.txt"}, {"name": "27859", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27859"}, {"name": "openssl-fips-prng-security-bypass(38796)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38796"}, {"name": "VU#150249", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/150249"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2007-5502", "datePublished": "2007-12-01T02:00:00", "dateReserved": "2007-10-17T00:00:00", "dateUpdated": "2024-08-07T15:31:58.603Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:fips_object_module:1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "8FF77E62-FB77-4A67-B618-D71D0F5CD87F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does not perform auto-seeding during the FIPS self-test, which generates random data that is more predictable than expected and makes it easier for attackers to bypass protection mechanisms that rely on the randomness."}, {"lang": "es", "value": "La implementaci\u00f3n PRNG para OpenSSL FIPS Object Module 1.1.1 no realiza una selecci\u00f3n previa autom\u00e1tica de la semilla durante el test de FIPS que realiza a s\u00ed mismo. Esto genera informaci\u00f3n arbitraria que es m\u00e1s predecible de lo esperado y hace que, para los atacantes, sea m\u00e1s f\u00e1cil vulnerar los mecanismos de protecci\u00f3n basados en aleatoriedad."}], "id": "CVE-2007-5502", "lastModified": "2017-07-29T01:33:43.163", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-12-01T06:46:00.000", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/27859"}, {"source": "secalert@redhat.com", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/150249"}, {"source": "secalert@redhat.com", "url": "http://www.openssl.org/news/secadv_20071129.txt"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/26652"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id?1019029"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2007/4044"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38796"}], "sourceIdentifier": "secalert@redhat.com", "vendorComments": [{"comment": "Not vulnerable. This vulnerability only affected the OpenSSL FIPS Object Module which is not enabled or used by OpenSSL in Red Hat Enterprise Linux 2.1, 3, 4, or 5.\n", "lastModified": "2007-12-03T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}