CVE-2001-0950

Name of the Vulnerable Software and Affected Versions ValiCert Enterprise Validation Authority (EVA) Administration Server versions 3.3 through 4.2.1

Description The issue arises from the use of insufficiently random data. This affects two main areas: (1) the generation of session tokens for HSMs, which uses the C rand function, and (2) the generation of certificates or keys, which relies on /dev/urandom instead of a more secure source that blocks when the entropy pool is low. This could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing.

Recommendations For versions 3.3 through 4.2.1, consider implementing a more secure random number generator to replace the C rand function and utilize a secure source for generating certificates or keys that blocks when the entropy pool is low, such as using a hardware random number generator or a cryptographically secure pseudorandom number generator. As a temporary workaround, restrict access to the certificate and key generation processes to minimize the risk of exploitation.