CVE-2014-0016

Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 23 Mar 2014, 15:00
Last modified:06 Aug 2024, 08:58

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4.3 MEDIUM
v2.0 (nvd)
EPSS Score
0.31% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

23 Mar 2014, 15:00
Published
Vulnerability first disclosed
06 Aug 2024, 08:58
Last Modified
Vulnerability information updated

Description

stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates.

CVSS Metrics

  • v2.0MEDIUMScore: 4.3AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.31% Percentile: 55%

Techniques & Countermeasures

  • CWE-332Insufficient Entropy in PRNG

    The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.

Affected Systems

  • stunnelstunnel

    ≤ 4.56 | 0.1 | 1.0 | 1.1 | 1.2 | 1.3 | 1.4 | 1.5 | 1.6 | 2.0 | 2.1 | 3.0 | 3.0:b1 | 3.0:b2 | 3.0:b3 | 3.0:b4 | 3.0:b5 | 3.0:b6 | 3.0:b7 | 3.1 | 3.2 | 3.3 | 3.4a | 3.5 | 3.6 | 3.7 | 3.8 | 3.8:p1 | 3.8:p2 | 3.8:p3 | 3.8:p4 | 3.8p1 | 3.8p2 | 3.8p3 | 3.8p4 | 3.9 | 3.10 | 3.11 | 3.12 | 3.13 | 3.14 | 3.15 | 3.16 | 3.17 | 3.18 | 3.19 | 3.20 | 3.21 | 3.21a | 3.21b | 3.21c | 3.22 | 3.23 | 3.24 | 3.25 | 3.26 | 4.00 | 4.0 | 4.01 | 4.02 | 4.03 | 4.04 | 4.05 | 4.06 | 4.07 | 4.08 | 4.09 | 4.10 | 4.11 | 4.12 | 4.13 | 4.14 | 4.15 | 4.16 | 4.17 | 4.18 | 4.19 | 4.20 | 4.21 | 4.22 | 4.23 | 4.24 | 4.25 | 4.26 | 4.27 | 4.28 | 4.29 | 4.30 | 4.31 | 4.32 | 4.33 | 4.34 | 4.35 | 4.36 | 4.37 | 4.38 | 4.39 | 4.40 | 4.41 | 4.42 | 4.43 | 4.44 | 4.45 | 4.46 | 4.47 | 4.48 | 4.49 | 4.50 | 4.51 | 4.52 | 4.53 | 4.54 | 4.55

References (5)