ValiCert Enterprise Validation Authority for Solaris Weak Random Device Vulnerability

Valicert Enterprise Validation Authority includes functionality to generate digital certificates. Under Solaris, it uses /dev/urandom as a random source. Unfortunately, /dev/urandom does not block calls when it suffers from low entropy.

An attacker able to cause or recognize a low entropy situation with /dev/urandom may be able to use this knowledge to predict random values used by Validation Authority, and in turn to guess some information about the certificate generated.

This weakness only exists in Validation Authority for Solaris.


Privacy Statement
Copyright 2010, SecurityFocus