Bug 1046045 (CVE-2007-6755)
Summary: | CVE-2007-6755 Dual_EC_DRBG: weak pseudo random number generator | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Ratul Gupta <ratulg> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | emaldona, jkurik, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-01-02 21:21:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1046046 |
Description
Ratul Gupta
2013-12-23 11:20:59 UTC
Cryptography libraries shipped as part of Red Hat products did not include support for Elliptic Curve Cryptography, which is used by the Dual EC DRBG, until recently. Red Hat Enterprise Linux 6.5 add support of ECC into openssl and nss packages, limiting support to Suite B curves and their use in TLS. Dual EC DRBG is not implemented in either of those packages. OpenSSL upstream recently issued an announcement describing how the library uses Dual EC DRBG: http://thread.gmane.org/gmane.comp.encryption.openssl.announce/113 https://lwn.net/Articles/578375/ This PRNG algorithm was only implemented for OpenSSL version that went through the FIPS validation, it never was part of the standard non-FIPS upstream OpenSSL version. Additionally, OpenSSL implementation contained a bug that preventing it from working in non-test use cases. Due to that, upstream believes that this implementation wasn't used in practice. Rather than fixing implementation bug, Dual EC DRBG was removed from OpenSSL and will not be included in the future OpenSSL FIPS module versions: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=200f249 The openssl packages shipped with Red Hat Enterprise Linux did not include Dual EC DRBG implementation, not even in versions that were FIPS validated. Statement: Not vulnerable. This issue did not affect cryptography library packages as shipped with Red Hat products, as they do not implement Dual EC DRBG algorithm. |