You are here

Potential key material leak in OpenSSL and Stunnel

CVE-2014-0076, CVE-2014-0016
openssl, stunnel, ECDSA, DSA

Two following two vulnerabilities affect OpenSSL through 1.0.1f and stunnel before 5.00 as used by Apache httpd and the SSL-VPN module in Airlock 4.2.6 and 5.0. Both vulnerabilities could affect the secrecy of key material. Airlock is not affected by the vulnerabilities.



stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates.

Airlock is not affected because stunnel is using pthreads instead of processes (fork) on Airlock.


The Montgomery ladder implementation in OpenSSL through 1.0.1f does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.

Airlock is not affected because the side-channel attack relies on local access to the system/processes. Local access to Airlock is only available for trusted users (root).

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock