CVE-2013-7372 - OpenCVE

The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Harmony
Google	Android

Configuration 1 [-]

OR	cpe:2.3:a:apache:harmony::m3::::::*
	cpe:2.3:o:google:android::::::::
	cpe:2.3:o:google:android:4.0:::::::*
	cpe:2.3:o:google:android:4.0.1:::::::*
	cpe:2.3:o:google:android:4.0.2:::::::*
	cpe:2.3:o:google:android:4.0.3:::::::*
	cpe:2.3:o:google:android:4.0.4:::::::*
	cpe:2.3:o:google:android:4.1:::::::*
	cpe:2.3:o:google:android:4.1.2:::::::*
	cpe:2.3:o:google:android:4.2:::::::*
	cpe:2.3:o:google:android:4.2.1:::::::*
	cpe:2.3:o:google:android:4.2.2:::::::*
	cpe:2.3:o:google:android:4.3:::::::*

References

Link	Resource
http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html	Patch
http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf	Exploit
https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java	Patch
https://bitcoin.org/en/alert/2013-08-11-android

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:14:53

Updated: 2022-10-03T16:14:53

Reserved: 2022-10-03T00:00:00

Link: CVE-2013-7372

JSON object: View

NVD Information

Status : Analyzed

Published: 2014-04-29T20:55:08.933

Modified: 2014-04-30T14:23:46.927

Link: CVE-2013-7372

JSON object: View

Redhat Information

No data.

CWE

CWE-310

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T16:14:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java"}, {"tags": ["x_refsource_MISC"], "url": "https://bitcoin.org/en/alert/2013-08-11-android"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7372", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf", "refsource": "MISC", "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf"}, {"name": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java", "refsource": "CONFIRM", "url": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java"}, {"name": "https://bitcoin.org/en/alert/2013-08-11-android", "refsource": "MISC", "url": "https://bitcoin.org/en/alert/2013-08-11-android"}, {"name": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html", "refsource": "CONFIRM", "url": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7372", "datePublished": "2022-10-03T16:14:53", "dateReserved": "2022-10-03T00:00:00", "dateUpdated": "2022-10-03T16:14:53", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:harmony:*:m3:*:*:*:*:*:*", "matchCriteriaId": "8C17E42B-0DCC-40B5-9F06-470B5D2D5658", "versionEndIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C2C07AF-6B89-4B53-826B-BBB1E1A61D33", "versionEndIncluding": "4.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "A39C31E3-75C0-4E92-A6B5-7D67B22E3449", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BB318EA4-2908-4B91-8DBB-20008FDF528A", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1F4E46A9-B652-47CE-92E8-01021E57724B", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "AB9B53C6-AE84-4A45-B83E-8E5CE44F7B93", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "36DD8E3F-6308-4680-B932-4CBD8E58A7FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "1DA9F0F7-D592-481E-884C-B1A94E702825", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "6CD857E7-B878-49F9-BDDA-93DDEBB0B42B", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "FBDABB6C-FFF9-4E79-9EF1-BDC0BBDEA9F1", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "A47AB858-36DE-4330-8CAC-1B46C5C8DA80", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "49413FF7-7910-4F74-B106-C3170612CB2A", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "matchCriteriaId": "A2467F65-A3B7-4E45-A9A5-E5A6EFD99D7B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013."}, {"lang": "es", "value": "La funci\u00f3n engineNextBytes en classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java en la implementaci\u00f3n SecureRandom en Apache Harmony hasta 6.0M3, utilizado en Java Cryptography Architecture (JCA) en Android anterior a 4.4 y otros productos, cuando el usuario no proporciona una semilla, la funci\u00f3n usa utiliza un valor de desplazamiento incorrecto, lo que facilita a un atacante poder anular los mecanismos de protecci\u00f3n criptogr\u00e1fica mediante el aprovechamiento de la previsibilidad PRNG resultante, tal y como se demostr\u00f3 activamente contra las aplicaciones Bitcoin Wallet en agosto 2013."}], "id": "CVE-2013-7372", "lastModified": "2014-04-30T14:23:46.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-29T20:55:08.933", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java"}, {"source": "cve@mitre.org", "url": "https://bitcoin.org/en/alert/2013-08-11-android"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}