Vulnerability Name:

CVE-2013-1445

Assigned:2013-01-26
Published:2013-10-26
Updated:2013-10-28
Summary:The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.
CVSS v3 Severity:3.7 Low (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-310
References:Source: DEBIAN
Type: UNKNOWN
DSA-2781

Source: MLIST
Type: PATCH
[oss-security] 20131017 CVE-2013-1445 python-crypto:PRNG not correctly reseeded in some situations

Source: XF
Type: UNKNOWN
pycrypto-cve20131445-info-disc(88132)

Source: CONFIRM
Type: UNKNOWN
https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175

Vulnerable Configuration:Configuration 1:
  • cpe:/a:dlitz:pycrypto:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:2.4:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:2.6:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:dlitz:pycrypto:1.0.0:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20131445
    V
    CVE-2013-1445
    2017-11-17
    oval:org.mitre.oval:def:19624
    P
    DSA-2781-1 python-crypto - PRNG not correctly reseeded in some situations
    2014-06-23
    oval:com.ubuntu.precise:def:20131445000
    V
    CVE-2013-1445 on Ubuntu 12.04 LTS (precise) - low.
    2013-10-26
    oval:com.ubuntu.trusty:def:20131445000
    V
    CVE-2013-1445 on Ubuntu 14.04 LTS (trusty) - low.
    2013-10-26
    oval:com.ubuntu.xenial:def:20131445000
    V
    CVE-2013-1445 on Ubuntu 16.04 LTS (xenial) - low.
    2013-10-26
    BACK
    dlitz pycrypto 2.2
    dlitz pycrypto 2.3
    dlitz pycrypto 2.4
    dlitz pycrypto 2.4.1
    dlitz pycrypto 2.5
    dlitz pycrypto 2.6
    dlitz pycrypto 2.1.0
    dlitz pycrypto 2.0.1
    dlitz pycrypto 2.0
    dlitz pycrypto 1.0.2
    dlitz pycrypto 1.0.1
    dlitz pycrypto 1.0.0