OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
Weakness
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openssl | Openssl | 1.1.1 (including) | 1.1.1c (including) |
| JBoss Core Services Apache HTTP Server 2.4.37 SP2 | RedHat | openssl | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-apr-0:1.6.3-86.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el6 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-apr-0:1.6.3-86.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | openssl-1:1.1.1c-15.el8 | * |
| Edk2 | Ubuntu | eoan | * |
| Edk2 | Ubuntu | trusty | * |
| Nodejs | Ubuntu | trusty | * |
| Openssl | Ubuntu | bionic | * |
| Openssl | Ubuntu | devel | * |
| Openssl | Ubuntu | disco | * |
| Openssl | Ubuntu | eoan | * |
| Openssl | Ubuntu | esm-infra/bionic | * |
| Openssl | Ubuntu | esm-infra/focal | * |
| Openssl | Ubuntu | focal | * |
| Openssl | Ubuntu | groovy | * |
| Openssl | Ubuntu | hirsute | * |
| Openssl | Ubuntu | precise/esm | * |
| Openssl | Ubuntu | trusty | * |
| Openssl | Ubuntu | upstream | * |
Potential Mitigations
- Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
- In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
- Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a “random enough” number.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/112.html
- https://cwe.mitre.org/data/definitions/485.html
- https://cwe.mitre.org/data/definitions/59.html
References
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://seclists.org/bugtraq/2019/Oct/1
- https://security.netapp.com/advisory/ntap-20190919-0002/
- https://support.f5.com/csp/article/K44070243
- https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp%3Butm_medium=RSS
- https://usn.ubuntu.com/4376-1/
- https://www.debian.org/security/2019/dsa-4539
- https://www.openssl.org/news/secadv/20190910.txt
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://seclists.org/bugtraq/2019/Oct/1
- https://security.netapp.com/advisory/ntap-20190919-0002/
- https://support.f5.com/csp/article/K44070243
- https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp%3Butm_medium=RSS
- https://usn.ubuntu.com/4376-1/
- https://www.debian.org/security/2019/dsa-4539
- https://www.openssl.org/news/secadv/20190910.txt
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html