PT-2023-8917 · C-Ares+8 · C-Ares+8

David Gstir

+1

·

Published

2023-05-22

·

Updated

2024-06-15

·

CVE-2023-31124

CVSS v3.1

3.7

Low

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions c-ares versions prior to 1.19.1
Description The issue is related to the use of rand() as a fallback when CARES RANDOM FILE is not set, which can allow an attacker to exploit the lack of entropy by not using a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). This can potentially impact the integrity of protected information. The issue is specifically observed when cross-compiling c-ares for aarch64 android using the autotools build system.
Recommendations For versions prior to 1.19.1, update to version 1.19.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of rand() as a fallback until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. Avoid using the CARES RANDOM FILE fallback in the affected API endpoints until the issue is resolved.

Exploit

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

ALSA-2023:3577
ALSA-2023:3586
ALSA-2023:4034
ALSA-2023:4035
ALSA-2023:6635
ALT-PU-2023-4134
ALT-PU-2023-4623
ALT-PU-2023-5121
BDU:2024-02612
CESA-2023_4034
CESA-2023_4035
CVE-2023-31124
GHSA-54XR-F67R-4PC4
OPENSUSE-SU-2024:12951-1
RHSA-2023:3577
RHSA-2023:3586
RHSA-2023:4033
RHSA-2023:4034
RHSA-2023:4035
RHSA-2023:4036
RHSA-2023:4039
RHSA-2023:6635
RHSA-2023_3577
RHSA-2023_3586
RHSA-2023_4034
RHSA-2023_4035
RHSA-2023_6635
RLSA-2023:3577
RLSA-2023:4034
RLSA-2023:4035
SUSE-SU-2023:2313-1
SUSE-SU-2023:2477-1
SUSE-SU-2023:2655-1
SUSE-SU-2023:2662-1
SUSE-SU-2023:2663-1
SUSE-SU-2023:2669-1
SUSE-SU-2023:2861-1
SUSE-SU-2023_2313-1
SUSE-SU-2023_2477-1

Affected Products

Alt Linux
Almalinux
Centos
Debian
Red Hat
Red Os
Rocky Linux
Suse
C-Ares