The pseudo-random number generator (PRNG) in OpenSSL contains a cryptographic design error, such that retrieving the output of a few hundred consecutive short PRNG requests enables attacker prediction of PRNG internal state. In turn, this allows the attacker to predict the subsequent PRNG output, significantly weakening the strength of the encryption. This problem originated in SSLeay and its derivative toolkits, of which OpenSSL is one.

OpenSSL's PRNG (located in crypto/md_rand.c in the source) uses a hash function to update its internal secret state and to generate output. The default hash selected is SHA-1. The PRNG's internal secret state contains two variables, a chaining variable called "md", sized according to the output of the selected hash function, and a large buffer called "state". The contents of "md" are replaced by a hash function output. "state" is accessed in a circular fashion, and is used for storing additional bits of entropy.

The vulnerable versions of OpenSSL set "md" to the hash of one half of its previous value and other data, including bytes from "state". Unfortunately, in vulnerable versions, the half of "md" input passed to the hash function is the same half that's used as PRNG output. Also, the number of bytes used from "state" can be as small as one if the requested amount of PRNG output is small. This makes brute-force analysis of all possible cases easy. The combination of these effects made it possible to reconstruct the complete internal PRNG state from the output of one PRNG request appropriately sized to your hash function (to gain knowledge of "md") followed by enough consecutive 1-byte PRNG requests to traverse all of "state".

Upgrade to version 0.9.6b or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch for versions of OpenSSL from 0.9.5 to 0.9.6a. Versions prior to 0.9.5 must upgrade.

• CERT VU: 131923
• CVE ID: 2001-1141 (see also: NVD)
• Bugtraq ID: 3004
• ISS X-Force ID: 6823
• Vendor Specific Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:51.openssl.v1.1.asc http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000418
  http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2001:065
  http://www.openssl.org/news/secadv_prng.txt
  https://rhn.redhat.com/errata/RHSA-2001-051.html
• Generic Informational URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-013.txt.asc
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-07/0162.html
• Vendor URL: http://www.openssl.org/

• Markku-Juhani O. Saarinen - markku-juhani.saarinennokia.com -