OpenSSL Security Advisory [29-Nov-2007]

OpenSSL FIPS Object Module Vulnerabilities
------------------------------------------

A significant flaw in the PRNG implementation for the OpenSSL FIPS Object 
Module v1.1.1 (https://www.openssl.org/source/openssl-fips-1.1.1.tar.gz, FIPS 
140-2 validation certificate #733, 
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733) has 
been reported by Geoff Lowe of Secure Computing Corporation.  Due to a coding 
error in the FIPS self-test the auto-seeding never takes place.  That means 
that the PRNG key and seed used correspond to the last self-test. The FIPS 
PRNG gets additional seed data only from date-time information, so the 
generated random data is far more predictable than it should be, especially 
for the first few calls.

This vulnerability is tracked as CVE-2007-5502.

Versions Affected
-----------------

OpenSSL FIPS Object Module v1.1.1 only.  Only those applications using this 
specific version of the OpenSSL FIPS Object Module which enter FIPS mode are 
affected.  Applications which do not enter FIPS mode or which use any other 
version of OpenSSL are not affected.  The OpenSSL FIPS Object Module v1.2 now 
undergoing validation testing is not affected.  

Recommendations
---------------

Wait for official approval of a patched distribution.

For reference purposes the patches

        https://www.openssl.org/news/patch-CVE-2007-5502-1.txt 

(the simplest direct fix) and: 

         https://www.openssl.org/news/patch-CVE-2007-5502-2.txt 

(a workaround which avoids touching the PRNG code directly) demonstrate two 
different fixes that independently address the vulnerability.  However, for 
FIPS 140-2 validated software no changes are permitted without prior official 
approval so these patches cannot be applied to the v1.1.1 distribution for 
the purposes of producing a validated module.

The vendor of record for the FIPS validation, the Open Source Software 
Institute (OSSI), has supplied the information needed for a "letter change" 
update request based on the latter of these two patches to the FIPS 140-2 
test lab to be submitted for official approval.  Once (and if) approved the 
new distribution containing this patch will be posted as 
https://www.openssl.org/source/openssl-fips-1.1.2.tar.gz.  The timeline for this 
approval is presently unknown.