CVE-2001-0950

ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/3618	Patch Vendor Advisory
http://www.securityfocus.com/bid/3620	Patch Vendor Advisory
http://www.valicert.com/support/security_advisory_eva.html
http://marc.info/?l=bugtraq&m=100749428517090&w=2
https://exchange.xforce.ibmcloud.com/vulnerabilities/7653
https://exchange.xforce.ibmcloud.com/vulnerabilities/7651

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:valicert:enterprise_validation_authority:3.8:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:3.9:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:3.3:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:4.0:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:4.1:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:3.6:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:3.7:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:3.4:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:3.5:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:4.2:::::::*
	cpe:2.3:a:valicert:enterprise_validation_authority:4.2.1:::::::*

Information

Published : 2001-12-03 21:00

Updated : 2017-12-18 18:29

NVD link : CVE-2001-0950

Mitre link : CVE-2001-0950

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

valicert

enterprise_validation_authority

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/3618", "name": "3618", "tags": ["Patch", "Vendor Advisory"], "refsource": "BID"}, {"url": "http://www.securityfocus.com/bid/3620", "name": "3620", "tags": ["Patch", "Vendor Advisory"], "refsource": "BID"}, {"url": "http://www.valicert.com/support/security_advisory_eva.html", "name": "http://www.valicert.com/support/security_advisory_eva.html", "tags": [], "refsource": "CONFIRM"}, {"url": "http://marc.info/?l=bugtraq&m=100749428517090&w=2", "name": "20011204 NMRC Advisory - Multiple Valicert Problems", "tags": [], "refsource": "BUGTRAQ"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/7653", "name": "eva-insecure-key-generation(7653)", "tags": [], "refsource": "XF"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/7651", "name": "eva-insecure-key-storage(7651)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2001-0950", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2001-12-04T05:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:3.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:3.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:3.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:3.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:3.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:3.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:3.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:valicert:enterprise_validation_authority:4.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-12-19T02:29Z"}