PT-2023-23180 · C-Ares+7 · C-Ares+7
David Gstir
+1
·
Publicado
2023-05-22
·
Atualizado
2026-02-18
·
CVE-2023-31147
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
c-ares versions prior to 1.19.1
Description
The issue arises when /dev/urandom or RtlGenRandom() are unavailable, and c-ares uses
rand() to generate random numbers for DNS query ids. This approach is not a Cryptographically Secure PseudoRandom Number Generator (CSPRNG) and lacks seeding by srand(), resulting in predictable output. The input from the random number generator is then used in a non-compliant RC4 implementation, potentially weakening its strength. Modern OS-provided CSPRNGs, such as arc4random(), are not utilized.Recommendations
For versions prior to 1.19.1, update to version 1.19.1 to resolve the issue. As a temporary workaround, consider restricting the use of the
rand() function in c-ares until a patch is available. Avoid using the non-compliant RC4 implementation in the affected API endpoints until the issue is resolved.Exploit
Correção
Use of Insufficiently Random Values
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Almalinux
Centos
Debian
Red Hat
Rocky Linux
Suse
C-Ares