Protection Mechanism Failure in OpenSSL

#VU21044 Protection Mechanism Failure in OpenSSL

Published: 2019-09-11

Vulnerability identifier: #VU21044

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1549

CWE-ID: CWE-693

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to OpenSSL does not use by default a rewritten random number generator (RNG) in the event of a fork() system call, resulting in the child and parent processes share the same RNG state.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 1.1.1 - 1.1.1c

External links
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
http://www.openssl.org/news/secadv/20190910.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Speech to Text, Text to Speech

Multiple vulnerabilities in Hitachi Energy APM Edge

Ubuntu update for OpenSSL

Red Hat Enterprise Linux 8 update for openssl

Red Hat JBoss Core Services update for Apache HTTP Server

Debian update for openssl

Protection Mechanism Failure in openssl (Alpine package)

Multiple vulnerabilities in OpenSSL