Vulnerabilities > CVE-2001-1141
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 | |
Application | 3 |
Nessus
NASL family Gain a shell remotely NASL id OPENSSL_OVERFLOW_GENERIC_TEST.NASL description The remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3. Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself. last seen 2020-03-18 modified 2002-08-05 plugin id 11060 published 2002-08-05 reporter This script is Copyright (C) 2002-2018 Solar Eclipse / Renaud Deraison source https://www.tenable.com/plugins/nessus/11060 title OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities code #TRUSTED 0c735fb6d18b92e7dc463c39c93d50b398065651cd7c0ed318a5d1d34834031824c3a22050ca6e31fbcc01030a07f38ce398a73c4434f40cb325e945345c784571586ec7573bbad8187a83596ed8318eaf6fbe29658c28bbe29b37b708585e162f200a9dc8e3bb88b92c4ed92cc2ba1f3a809c28160e7ce5f02d05b54fe911864cb36397a0a6c7db4ce53e6c12d096326a0b0727e3f007c5b916a75245b03a0c89887f2a18c581d7a4c49d88672878280dc6da584f38fcfb32d39750cece204f7a4cdd4d8e5a18bc563660825d4db1ee613352088fdc75b46c9dade84128772db6b409a5b09ed95b3156e4175c6d66dea8e2f1aa3db4e4c723621cec8449ba4b4869188c9e4687fd548a2c19c20bfc66382490a21d71e882380baf0c6c9b33b4382c5ce2683444bf2988676a4abe4e2865c6782ef082ebcf0ad497a1cc0c9cb35128ba8c71af2eb86b143e720d1e461e6556cd4385e503f30cea015f9d8bbaf86087917e85775f1a89b32e0323aab41988798789ba048a32d1fda6103fee96f4c882cd51ed5020991e252eee40c145fcce7c754df18a8cac345a4b4d20a503ac645e70005c5f48de74f07b68ac07b51bb6d8c05de995db8b389dce0ca9e57291b3e43a0218c94628387c12c67ba32cf4beff50a54372c43eab3040569ff783cba5fbb9ed40b3996e373be2aeec209568a4832fd3fe0d490a0857f942f69a71b9 # # (C) Tenable Network Security, Inc. # # Thanks to Solar Eclipse <[email protected]>, who did most # of the work. # # Will incidentally cover CVE-2001-1141 and CVE-2000-0535 # include("compat.inc"); if (description) { script_id(11060); script_version("1.61"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id( "CVE-2000-0535", "CVE-2001-1141", "CVE-2002-0655", "CVE-2002-0656", "CVE-2002-0657", "CVE-2002-0659" ); script_bugtraq_id(1340, 3004, 5361, 5362, 5363, 5364, 5366); script_xref(name:"SuSE", value:"SUSE-SA:2002:033"); script_name(english:"OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities"); script_summary(english:"Checks for the behavior of OpenSSL"); script_set_attribute(attribute:"synopsis", value: "The remote service uses a library that is affected by a buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "The remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3. Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself."); script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL version 0.9.6e / 0.9.7beta3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/05"); script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_copyright(english:"This script is Copyright (C) 2002-2020 Solar Eclipse / Renaud Deraison"); script_family(english:"Gain a shell remotely"); script_dependencies("ssl_supported_versions.nasl"); script_require_keys("SSL/Supported"); exit(0); } include("byte_func.inc"); include("ftp_func.inc"); include("global_settings.inc"); include("kerberos_func.inc"); include("ldap_func.inc"); include("misc_func.inc"); include("nntp_func.inc"); include("smtp_func.inc"); include("ssl_funcs.inc"); include("telnet2_func.inc"); if ( safe_checks() && report_paranoia < 2 ) exit(0); #------------------------------ Consts ----------------------# client_hello = raw_string( 0x80, 0x31, 0x01, 0x00, 0x02, 0x00, 0x18,0x00, 0x00, 0x00, 0x10,0x07, 0x00, 0xC0, 0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00, 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04, 0x00, 0x80, 0x02, 0x00, 0x80, 0xE4, 0xBD, 0x00, 0x00, 0xA4, 0x41, 0xB6, 0x74, 0x71, 0x2B, 0x27, 0x95, 0x44, 0xC0, 0x3D, 0xC0); poison = raw_string( 0x80,0x5a,0x2,0x7, 0x0,0xc0,0x0,0x0, 0x0,0x40,0x0,0x10, 0x19,0x53,0xf,0x55, 0x5e,0xaa,0x68,0x71, 0x3,0x27,0x4,0x5a, 0x1f,0x5,0xea,0x33, 0x29,0x5b,0xb9,0x3f, 0x7d,0x28,0xe6,0x4c, 0xd4,0xb3,0x8e,0x36, 0x44,0xb5,0x86,0x6c, 0x6c,0x6,0xc1,0x5c, 0x45,0x73,0xb8,0x11, 0x55,0x23,0x3e,0x2a, 0x52,0xe0,0x52,0x30, 0xda,0xf8,0xee,0x15, 0x79,0xe1,0x3c,0x68, 0x36,0xd1,0x14,0x26, 0xae,0xd4,0x30,0x2, 0x0,0x0,0x0,0x0, 0x4,0x0,0x0,0x0, 0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41); big_poison = raw_string( 0x81, 0xca, 0x2, 0x7, 0x0, 0xc0, 0x0, 0x0, 0x0, 0x40, 0x1, 0x80, 0xa4, 0x20, 0xb4, 0x44, 0xd, 0xe, 0x7c, 0x5, 0xc2, 0x21, 0x28, 0x4d, 0xd3, 0xab, 0x6b, 0x72, 0x10, 0xa3, 0x64, 0x7e, 0x9, 0x7e, 0xe8, 0x28, 0xe, 0x98, 0x5a, 0x5, 0x2f, 0x32, 0xbb, 0xa, 0x3c, 0xe0, 0x58, 0x5a, 0xc5, 0xf1, 0x91, 0x36, 0x1a, 0x27, 0x2c, 0x37, 0x4b, 0xc2, 0xd2, 0x49, 0x28, 0xc4, 0xf1, 0x76, 0x41, 0xe5, 0xa4, 0x2d, 0xe6, 0x9a, 0x55, 0x7e, 0x27, 0x38, 0x89, 0x13, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41); #-------- The code. We need the check what happens on each port ------------# moderate_report = "Note that since safe checks are enabled, this check might be fooled by non-openssl implementations and produce a false positive. In doubt, re-execute the scan without the safe checks"; get_kb_item_or_exit("SSL/Supported"); port = get_ssl_ports(fork:TRUE); if (isnull(port)) exit(1, "The host does not appear to have any SSL-based services."); # Find out if the port is open. if (!get_port_state(port)) exit(0, "Port " + port + " is not open."); # Connect to the port, issuing the StartTLS command if necessary. soc = open_sock_ssl(port); if (!soc) exit(1, "open_sock_ssl() returned NULL for port " + port + "."); send(socket:soc, data:client_hello); buf = recv(socket:soc, length:8192); if(!strlen(buf))exit(0); send(socket:soc, data:poison); buf = recv(socket:soc, length:10); close(soc); if(safe_checks()) { if(strlen(buf) > 5)security_hole(port:port, extra: moderate_report); } else { if(strlen(buf) > 5) { # Connect to the port, issuing the StartTLS command if necessary. soc = open_sock_ssl(port); if (!soc) exit(1, "open_sock_ssl() returned NULL for port " + port + "."); send(socket:soc, data:client_hello); buf = recv(socket:soc, length:8192); if(!strlen(buf))exit(0); n = send(socket:soc, data:big_poison); if ( n != strlen(big_poison) ) exit(0); buf = recv(socket:soc, length:4096); close(soc); if(strlen(buf) == 0)security_hole(port); } }
NASL family Web Servers NASL id OPENSSL_0_9_6B.NASL description According to its banner, the remote web server is running a version of OpenSSL that is earlier than 0.9.6b and allows remote attackers to predict the output of the pseudo-random generator. last seen 2020-06-01 modified 2020-06-02 plugin id 17745 published 2012-01-04 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17745 title OpenSSL < 0.9.6b Predictable Random Generator code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17745); script_version("1.7"); script_cvs_date("Date: 2018/07/16 14:09:14"); script_cve_id("CVE-2001-1141"); script_bugtraq_id(3004); script_name(english:"OpenSSL < 0.9.6b Predictable Random Generator"); script_summary(english:"Does a banner check"); script_set_attribute(attribute:"synopsis", value: "The remote server is affected by an SSL-related vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the remote web server is running a version of OpenSSL that is earlier than 0.9.6b and allows remote attackers to predict the output of the pseudo-random generator."); script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL 0.9.6b or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/10"); script_set_attribute(attribute:"patch_publication_date", value:"2001/07/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("openssl_version.nasl"); script_require_keys("openssl/port"); exit(0); } include("openssl_version.inc"); openssl_check_version(fixed:'0.9.6b', severity:SECURITY_WARNING);
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2001-065.NASL description The pseudo-random number generator in OpenSSL versions up to 0.9.6a has a design flaw. By knowing the output of specific PRNG requests, an attacker would be able to determine the PRNG last seen 2020-06-01 modified 2020-06-02 plugin id 13880 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13880 title Mandrake Linux Security Advisory : openssl (MDKSA-2001:065)
Redhat
advisories |
|
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-013.txt.asc
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000418
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-065.php3?dis=8.0
- http://www.linuxsecurity.com/advisories/other_advisory-1483.html
- http://www.osvdb.org/853
- http://www.redhat.com/support/errata/RHSA-2001-051.html
- http://www.securityfocus.com/advisories/3475
- http://www.securityfocus.com/archive/1/195829
- http://www.securityfocus.com/bid/3004
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6823