libssh CVE-2014-0017: Thread PRNG improper initialization after fork leads to private key leakage

Critical Vulnerability Information Vulnerability ID: Bug 1072191 (CVE-2014-0017) Description: libssh: Thread PRNG improperly initialized after fork(). Report Date: 2014-03-04 05:48 UTC Status: CLOSED NOTABUG Product: Security Response Component: vulnerability Priority: medium Severity: medium Environment: Linux Record Update: Last Closed: 2014-03-06 04:56:16 UTC Detailed Information Vulnerability Details: A vulnerability was discovered in the libssh server. When accepting a new connection, the server forks, and the child process handles the request. After forking, OpenSSL's RAND_bytes() function does not reset its state; it only adds the current process ID (getpid) to the PRNG state, which does not guarantee uniqueness. The most critical consequence is that servers using EC (ECDSA) or DSA certificates may leak their private keys under certain conditions. Acknowledgments: Reported by Aris Adamantiadis. Public Fix: - Git patch provided: http://git.libssh.org/projects/libssh.git/commit/?id=e99246246b4061f7e71463f8806b9dcad65affa0 - Fixed in upstream libssh-0.6.3: http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/ Impact Scope: - This issue affects only the server component of the libssh library. libssh2 is unaffected, as it is a C library implementing the SSH-2 protocol as a client component (no server component). - The vulnerability does not affect libssh2 as shipped with Red Hat Enterprise Linux 5 and 6. Fixed Versions: - Fedora 20: libssh-0.6.3-1.fc20 - Fedora 19: libssh-0.6.3-1.fc19 - Fedora EPEL 5: libssh-0.5.5-2.e15 - Fedora EPEL 6: libssh-0.5.5-2.e16

Goal Reached Thanks to every supporter — we hit 100%!

libssh CVE-2014-0017: Thread PRNG improper initialization after fork leads to private key leakage