apache/harmony: The latest CVE Vulnerabilities and Exploits for Penetration Test
apache/harmony Vulnerability Summary
- Vendor name: apache
- Product name: harmony
- Total vulnerabilities: 1 (as 2023-05-04)
apache/harmony Vulnerability List
CVE-2013-7372: The engineNextBytes function in…
Published: 2014-04-29T20:55:00 Last Modified: 2014-04-30T14:23:00
Summary
The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.
Common Weakness Enumeration (CWE): CWE-310: Cryptographic Issues
CWE Description: Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Scores
- Impact Score: 2.9
- Exploitability Score: 10.0
- CVSS: 5.0
- CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Impact
- Availability: NONE
- Confidentiality: NONE
- Integrity: PARTIAL
Access
- Authentication: NONE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2013-7372 vulnerability.
References
- http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html
- http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf
- https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java
- https://bitcoin.org/en/alert/2013-08-11-android
See also: All popular products CVE Vulnerabilities of apache