Skip to main content

Use of Insufficiently Random Values

CVE-2023-31147

Severity Medium
Score 6.5/10

Summary

c-ares is an asynchronous resolver library. When "/dev/urandom" or "RtlGenRandom()" are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by ''srand()'' so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like ''arc4random()'' that are widely available. This issue affects c-ares versions prior to 1.19.1.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-330 - Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Advisory Timeline

  • Published