CVE-2013-7372
The engineNextBytes function in...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- April 29, 2014
- Published Date
- April 29, 2014
- Last Updated
- September 17, 2024
- Vendor
- Apache Software Foundation
- Product
- Harmony
- Description
- The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.
- Tags
- Exploited in the Wild
- Yes (2014-04-29 20:00:00 UTC) Source
apache
android
CVSS Scores
CVSS v2.0
5.0
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Exploit Status
References
http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf
https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java
https://bitcoin.org/en/alert/2013-08-11-android
http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2014-04-29 20:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel