CVE-2001-0950 - ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insuffic

CVE-2001-0950

Summary

ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing.

References

Vulnerable Configurations

cpe:2.3:a:valicert:enterprise_validation_authority:*:*:*:*:*:*:*:*
cpe:2.3:a:valicert:enterprise_validation_authority:*:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 15-02-2024 - 03:29)
Impact:
Exploitability:

CWE

CWE-331

CAPEC

Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	3618 3620
bugtraq	20011204 NMRC Advisory - Multiple Valicert Problems
confirm	http://www.valicert.com/support/security_advisory_eva.html
xf	eva-insecure-key-generation(7653) eva-insecure-key-storage(7651)

Last major update

15-02-2024 - 03:29

Published

04-12-2001 - 05:00

Last modified

15-02-2024 - 03:29