Use of Insufficiently Random Values
CVE-2023-31147
Summary
c-ares is an asynchronous resolver library. When "/dev/urandom" or "RtlGenRandom()" are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by ''srand()'' so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like ''arc4random()'' that are widely available. This issue affects c-ares versions prior to 1.19.1.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-330 - Use of Insufficiently Random Values
The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
References
Advisory Timeline
- Published