CVE-2014-0016 — Insufficient Entropy in PRNG in Stunnel

CWE-332 — Insufficient Entropy in PRNG8 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 45.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Stunnel

Timeline

PublishedMar 24

Latest updateMay 17

Description

stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDstunnel/stunnel4.56+101

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-xxr9-37w5-wgwc: stunnel before 5↗2022-05-17

▶

CVEList

CVE-2014-0016: stunnel before 5↗2014-03-23

▶

📋Vendor Advisories

Red Hat

stunnel: Improper initialization of PRNG after fork()↗2014-03-05

▶

Debian

CVE-2014-0016: stunnel4 - stunnel before 5.00, when using fork threading, does not properly update the sta...↗2014

▶

💬Community

Bugzilla

CVE-2014-8102 xorg-x11-server: out of bounds access due to not validating length or offset values in XFixes extension↗2014-11-27

▶

Bugzilla

CVE-2014-0213 CVE-2014-0214 CVE-2014-0215 CVE-2014-0216 CVE-2014-0217 CVE-2014-0218 moodle: upstream 2.7, 2.6.3, 2.5.6, and 2.4.10 security fixes↗2014-05-21

▶

Bugzilla

CVE-2014-0016 stunnel: Improper initialization of PRNG after fork()↗2014-03-04

▶