What is CVE-2013-7295?

CVE-2013-7295 is a vulnerability in Torproject Tor, classified under Cryptographic Issues. Published 2014-01-17.

Is CVE-2013-7295 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Torproject Tor

CVE-2013-7295

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service…

Vulnerability class: POODLE (CVE-2014-3566)

EPSS: 0.002 (36.6th percentile) — read the EPSS interpretation.

Affected products

Torproject Tor — versions 0.2.4.1, 0.2.4.2, 0.2.4.3
N/a — versions n/a

Weakness classification (CWE)

CWE-310 — Cryptographic Issues

Public proof-of-concept exploits

References

openSUSE-SU-2014:0143 (vendor-advisory, x_refsource_SUSE)
[tor-talk] 20131223 Tor 0.2.4.20 is released (Vendor Advisory, mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2013-7295?: CVE-2013-7295 is a vulnerability in Torproject Tor, classified under Cryptographic Issues. Published 2014-01-17.
Is CVE-2013-7295 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.