CVE-2013-7295

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:N

Exploitability : 4.9 / Impact : 4.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html
https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html	Vendor Advisory
http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html
https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:torproject:tor::::::::
	cpe:2.3:a:torproject:tor:0.2.4.1:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.2:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.3:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.4:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.5:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.6:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.7:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.8:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.9:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.10:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.11:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.12:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.13:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.14:alpha::::::
	cpe:2.3:a:torproject:tor:0.2.4.15:rc::::::
	cpe:2.3:a:torproject:tor:0.2.4.16:rc::::::
	cpe:2.3:a:torproject:tor:0.2.4.17:rc::::::
	cpe:2.3:a:torproject:tor:0.2.4.18:rc::::::

History

No history.

Information

Published : 2014-01-17 21:55

Updated : 2025-04-11 00:51

NVD link : CVE-2013-7295

Mitre link : CVE-2013-7295

CVE.ORG link : CVE-2013-7295

JSON object : View

Products Affected

torproject

tor

CWE

CWE-310

Cryptographic Issues

{"id": "CVE-2013-7295", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-01-17T21:55:14.613", "references": [{"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html", "source": "cve@mitre.org"}, {"url": "https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors."}, {"lang": "es", "value": "Tor anteriores a 0.2.4.20, cuando OpenSSL 1.x es utilizado en conjunci\u00f3n con cierto ajuste de HardwareAccel en las plataformas Intel Sandy Bridge e Ivy Bridge, no genera apropiadamente n\u00fameros aleatorios para (1) claves de identidad de relay y (2) claves de identidad de servicio oculto, lo cual podr\u00eda hacer m\u00e1s f\u00e1cil para los atacantes remotos sortear mecanismos de protecci\u00f3n criptogr\u00e1fica a trav\u00e9s de vectores no especificados."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38E5B597-6BA7-4360-BA84-C8B2DD61C0FE", "versionEndIncluding": "0.2.4.19"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.1:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CDF07FC-69FD-439D-807F-01B70803C6C6"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.2:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8433119-07E6-47BD-B8E6-4E0BBB694811"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.3:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5EAA2B8-1923-4BB3-A685-E7B6275E9FD6"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.4:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A03FBE6-EC3D-4D24-9447-B75CE67F2737"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.5:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40221BB3-73E6-4E7D-8994-BFCC8C8C0EDE"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.6:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A1BFADB-776C-4522-9747-2BB094A5091F"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.7:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCE1D379-5374-4158-8310-96F2CA67ED61"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.8:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "160AC840-E501-4DE4-AF63-E5F987219F6C"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.9:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA548CBD-31C5-4261-91A5-0D1314B827F0"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.10:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3421BEF-A468-4947-8EA7-02BF500D511C"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.11:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15D0BE3B-F4A4-4E18-9D83-487AFB366BBB"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.12:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3DDD7F0-D041-40FF-919A-2C905A7E2238"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.13:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "088D58DE-5C4D-4E0C-8CF4-3A2109D3F4A2"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.14:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "082F51D5-5890-45A9-8EDA-0E0215C0EAEF"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.15:rc:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72C8D3FA-8B99-4A4D-BC62-FD50EF77CEC0"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.16:rc:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDFF7FEE-4B36-4B86-8BC2-64C9009B3D80"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.17:rc:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5A18B95-0EEB-403C-A9C1-E559DBC64E2E"}, {"criteria": "cpe:2.3:a:torproject:tor:0.2.4.18:rc:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCFFA8A6-6D1A-4CFF-95A8-5FF2BE6287C4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}