Detections
Analytics

GLSA-201408-14 : stunnel: Information disclosure

medium Nessus Plugin ID 77458

Language:

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-201408-14 (stunnel: Information disclosure)

 stunnel does not properly update the state of the pseudo-random generator after fork-threading which causes subsequent children with the same process ID to use the same entropy pool. ECDSA and DSA keys, when not used in deterministic mode (RFC6979), rely on random data for its k parameter to not leak private key information.
 Impact :

 A remote attacker may gain access to private key information from ECDSA or DSA keys.
 Workaround :

 There is no known workaround at this time.

Solution

All stunnel users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/stunnel-5.02'

See Also

https://security.gentoo.org/glsa/201408-14

Plugin Details

Severity: Medium

ID: 77458

File Name: gentoo_GLSA-201408-14.nasl

Version: 1.6

Type: local

Published: 8/30/2014

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:stunnel, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Ease: No known exploits are available

Patch Publication Date: 8/29/2014

Reference Information

CVE: CVE-2014-0016

BID: 65964

GLSA: 201408-14