CVE-2013-1445 — Insufficient Entropy in PRNG in Pycrypto

CWE-310 CWE-332 — Insufficient Entropy in PRNG9 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 37.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dlitz Pycrypto

Timeline

PublishedOct 26

Latest updateMay 17

Description

The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶PyPIdlitz/pycrypto< 2.6.1+1

▶NVDdlitz/pycrypto2.6+11

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

PyCrypto does not properly reseed PRNG before allowing access↗2022-05-17

▶

OSV

PyCrypto does not properly reseed PRNG before allowing access↗2022-05-17

▶

CVEList

CVE-2013-1445: The Crypto↗2013-10-26

▶

OSV

CVE-2013-1445: The Crypto↗2013-10-26

▶

📋Vendor Advisories

Red Hat

python-crypto: PRNG not correctly reseeded in some situations↗2013-10-17

▶

💬Community

Bugzilla

CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations [epel-5]↗2013-10-18

▶

Bugzilla

CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations↗2013-10-18

▶

Bugzilla

CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations [fedora-all]↗2013-10-18

▶