CVE-2014-0017

Name of the Vulnerable Software and Affected Versions libssh versions prior to 0.6.3

Description The issue is related to the RAND bytes function in libssh, which does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG) when forking is enabled. This causes the state to be shared between child processes, allowing local users to obtain sensitive information by leveraging a pid collision. The vulnerability can be exploited locally and may lead to a breach of confidentiality.

Recommendations For libssh versions prior to 0.6.3, update to version 0.6.3 or later to resolve the issue. As a temporary workaround, consider disabling forking in libssh to minimize the risk of exploitation.