CVE-2001-0950

moderate-risk
Published 2001-12-04

ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing.

Do I need to act?

~
1.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Enterprise Validation Authority

Affected Vendors

Valicert

References (12)

Exploit http://marc.info/?l=bugtraq&m=100749428517090&w=2
Broken Link http://www.securityfocus.com/bid/3618
Broken Link http://www.securityfocus.com/bid/3620
Broken Link http://www.valicert.com/support/security_advisory_eva.html
Third Party Advisory https://exchange.xforce.ibmcloud.com/vulnerabilities/7651
Third Party Advisory https://exchange.xforce.ibmcloud.com/vulnerabilities/7653
Exploit http://marc.info/?l=bugtraq&m=100749428517090&w=2
Broken Link http://www.securityfocus.com/bid/3618
Broken Link http://www.securityfocus.com/bid/3620
Broken Link http://www.valicert.com/support/security_advisory_eva.html
Third Party Advisory https://exchange.xforce.ibmcloud.com/vulnerabilities/7651
Third Party Advisory https://exchange.xforce.ibmcloud.com/vulnerabilities/7653
35
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 4/34 · Minimal
Exposure 5/34 · Minimal