Vulnerability Description
The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dlitz | Pycrypto | <= 2.6 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2013/dsa-2781
- http://www.openwall.com/lists/oss-security/2013/10/17/3ExploitPatch
- https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef17Exploit
- http://www.debian.org/security/2013/dsa-2781
- http://www.openwall.com/lists/oss-security/2013/10/17/3ExploitPatch
- https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef17Exploit
FAQ
What is CVE-2013-1445?
CVE-2013-1445 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for co...
How severe is CVE-2013-1445?
CVE-2013-1445 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-1445?
Check the references section above for vendor advisories and patch information. Affected products include: Dlitz Pycrypto.