Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
3 Feb 2014 Closed Low CVSS v2: 5.8 SA76
The output of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) may be predictable. If the output is predictable, an attacker can use that property to guess the sequence of pseudo random values generated using the EC_DRBG. In a worst case scenario, an attacker could decrypt confidential data, modify signed data, or pose as another entity.
No Blue Coat products are vulnerable.
CVE-2007-6755 – CVSS v2 base score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Dual_EC_DRBG is a NIST standard and is provided in many cryptographic libraries, including RSA’s BSAFE. NIST has published the following statement: “NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used.”
Blue Coat products do not use Dual_EC_DRBG or BSAFE. Products that provide a “FIPS mode” of operation do not use Dual_EC_DRBG or BSAFE when the mode is enabled or when the mode is disabled.