This issue was patched in version 1.19.1. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This issue has been fixed in version 1.19.1.Ĭ-ares is an asynchronous resolver library. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. Landscape cryptographic keys were insecurely generated with a weak pseudo-random generator.Ĭ-ares is an asynchronous resolver library. In 2.54, there is different API usage and/or random string insertion for mitigation. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The vulnerability does not exist if SSL / TLS encryption is used. It is possible for a well-placed attacker to predict the output of this random number generator, which could lead to an attacker decrypting traffic between the driver and the database server. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. An issue was discovered in Progress DataDirect Connect for ODBC before for Oracle.
0 Comments
Leave a Reply. |