ValiCert Enterprise Validation Authority for Solaris Weak Session Token Vulnerability

Valicert Enterprise Validation Authority generates a random token when it communicates with Hardware Security Modules. The token is generated with a call to the C rand() function, after it is seeded with the local system time.

System time is reasonably predictable, and does not provide a high level of entropy. As a result, an attacker able to predict the system time or view some generated tokens may be able to predict future tokens.

This weakness exists in only the Solaris version of Validation Authority.


Privacy Statement
Copyright 2010, SecurityFocus