PT-2023-8917 · C-Ares+8 · C-Ares+8
David Gstir
+1
·
Publicado
2023-05-22
·
Atualizado
2024-06-15
·
CVE-2023-31124
CVSS v3.1
3.7
Baixa
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
c-ares versions prior to 1.19.1
Description
The issue is related to the use of
rand() as a fallback when CARES RANDOM FILE is not set, which can allow an attacker to exploit the lack of entropy by not using a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). This can potentially impact the integrity of protected information. The issue is specifically observed when cross-compiling c-ares for aarch64 android using the autotools build system.Recommendations
For versions prior to 1.19.1, update to version 1.19.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of
rand() as a fallback until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. Avoid using the CARES RANDOM FILE fallback in the affected API endpoints until the issue is resolved.Exploit
Correção
Use of Insufficiently Random Values
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Almalinux
Centos
Debian
Red Hat
Red Os
Rocky Linux
Suse
C-Ares