Cryptographic issues in PyCrypto

#VU42419 Cryptographic issues in PyCrypto

Published: 2013-10-26 | Updated: 2020-08-10

Vulnerability identifier: #VU42419

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-1445

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PyCrypto
Client/Desktop applications / Encryption software

Vendor: GNU

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PyCrypto: 1.0.0 - 2.5

External links
http://www.debian.org/security/2013/dsa-2781
http://www.openwall.com/lists/oss-security/2013/10/17/3
http://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

Multiple vulnerabilities in IBM Cloud Pak System

Amazon Linux AMI update for python-crypto

Cryptographic issues in GNU PyCrypto