PT-2023-23180 · C-Ares+7 · C-Ares+7

David Gstir

+1

·

Published

2023-05-22

·

Updated

2026-02-18

·

CVE-2023-31147

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions c-ares versions prior to 1.19.1
Description The issue arises when /dev/urandom or RtlGenRandom() are unavailable, and c-ares uses rand() to generate random numbers for DNS query ids. This approach is not a Cryptographically Secure PseudoRandom Number Generator (CSPRNG) and lacks seeding by srand(), resulting in predictable output. The input from the random number generator is then used in a non-compliant RC4 implementation, potentially weakening its strength. Modern OS-provided CSPRNGs, such as arc4random(), are not utilized.
Recommendations For versions prior to 1.19.1, update to version 1.19.1 to resolve the issue. As a temporary workaround, consider restricting the use of the rand() function in c-ares until a patch is available. Avoid using the non-compliant RC4 implementation in the affected API endpoints until the issue is resolved.

Exploit

Fix

Use of Insufficiently Random Values

Weakness Enumeration

CWE-330

Related Identifiers

ALSA-2023:3577
ALSA-2023:3586
ALSA-2023:4034
ALSA-2023:4035
ALSA-2023:6635
ALT-PU-2023-4134
ALT-PU-2023-4623
ALT-PU-2023-5121
AZL-26869
AZL-26870
AZL-26871
AZL-26874
AZL-26875
AZL-26876
AZL-34776
AZL-43702
CESA-2023_4034
CESA-2023_4035
CVE-2023-31147
GHSA-8R8P-23F3-64C2
OESA-2023-1339
OESA-2023-1340
OESA-2023-1357
OESA-2023-1358
OPENSUSE-SU-2024:12951-1
RHSA-2023:3577
RHSA-2023:3586
RHSA-2023:4033
RHSA-2023:4034
RHSA-2023:4035
RHSA-2023:4036
RHSA-2023:4039
RHSA-2023:6635
RHSA-2023_3577
RHSA-2023_3586
RHSA-2023_4034
RHSA-2023_4035
RHSA-2023_6635
RLSA-2023:3577
RLSA-2023:4034
RLSA-2023:4035
SUSE-SU-2023:2313-1
SUSE-SU-2023:2477-1
SUSE-SU-2023:2655-1
SUSE-SU-2023:2662-1
SUSE-SU-2023:2663-1
SUSE-SU-2023:2669-1
SUSE-SU-2023:2861-1

Affected Products

Alt Linux
Almalinux
Centos
Debian
Red Hat
Rocky Linux
Suse
C-Ares