CVE-2014-0017 — Libssh vulnerability

CWE-31012 documents8 sources

Severity

1.9LOWNVD

EPSS

0.1%

top 74.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libssh

Timeline

PublishedMar 14

Latest updateMay 17

Description

The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision.

CVSS vector

AV:L/AC:M/C:P/I:N/A:NExploitability: 3.4 | Impact: 2.9

Affected Packages2 packages

▶Debianlibssh/libssh< 0.5.4-3+3

▶NVDlibssh/libssh0.6.2+10

Patches

Patch: www.libssh.org ↗Patch: www.libssh.org ↗

🔴Vulnerability Details

GHSA

GHSA-mw96-qp3x-6qgr: The RAND_bytes function in libssh before 0↗2022-05-17

▶

CVEList

CVE-2014-0017: The RAND_bytes function in libssh before 0↗2014-03-14

▶

OSV

CVE-2014-0017: The RAND_bytes function in libssh before 0↗2014-03-14

▶

📋Vendor Advisories

Ubuntu

libssh vulnerability↗2014-03-12

▶

Red Hat

libssh: Improper initialization of PRNG after fork()↗2014-03-04

▶

Debian

CVE-2014-0017: libssh - The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does no...↗2014

▶

💬Community

Bugzilla

CVE-2014-0213 CVE-2014-0214 CVE-2014-0215 CVE-2014-0216 CVE-2014-0217 CVE-2014-0218 moodle: upstream 2.7, 2.6.3, 2.5.6, and 2.4.10 security fixes↗2014-05-21

▶

Bugzilla

CVE-2014-0017 libssh: Improper initialization of PRNG after fork() [epel-5]↗2014-03-05

▶

Bugzilla

CVE-2014-0017 libssh: Improper initialization of PRNG after fork() [fedora-all]↗2014-03-05

▶

Bugzilla

CVE-2014-0017 libssh: Improper initialization of PRNG after fork() [epel-6]↗2014-03-05

▶

Bugzilla

CVE-2014-0017 libssh: Improper initialization of PRNG after fork()↗2014-03-04

▶