Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg3ZzItd3JycC1yNmgz
Use of a Broken or Risky Cryptographic Algorithm
✍️ Description
The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control
🕵️♂️ Proof of Concept
Numerous examples and attack implementations can be found in this paper . If you're looking for a practical tool that can crack your mt_rand implementation's seed value, see this project and run the following commands in a console with php5 and OpenWall's tool installed:
root$ php -r 'mt_srand(13333337); echo mt_rand( ), "\n";'
After that, copy the output (1863134308) and execute the following commands:
root$ gcc php_mt_seed.c -o php_mt_seedroot$ ./php_mt_seed 1863134308
After waiting ~1 minute you should have a few possible seeds corresponding to their PHP versions, next to your installed PHP version you should see something akin to:
seed = 0x00cb7359 = 13333337 (PHP 7.1.0+)
Hey, that's your seed!
💥 Impact
An attacker could takeover accounts at random by enumerating and using access tokens.
📝 References
- https://openwall.com/php_mt_seedhttps://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf
- https://github.com/mautic/mautic/blob/5213e320b4ef4d0c51bb84c1d46a1071e8e4f7fc/app/bundles/PointBundle/Controller/TriggerController.php#L187
- https://github.com/mautic/mautic/releases/tag/3.3.4
- https://github.com/mautic/mautic/releases/tag/4.0.0
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg3ZzItd3JycC1yNmgz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: 3 months ago
CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Identifiers: GHSA-x7g2-wrrp-r6h3, CVE-2021-27913
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-x7g2-wrrp-r6h3
- https://nvd.nist.gov/vuln/detail/CVE-2021-27913
- https://github.com/mautic/mautic/commit/d1cad766a2de74e6c6b89d6d78c2a5f2e36ba91c
- https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27913.yaml
- https://github.com/advisories/GHSA-x7g2-wrrp-r6h3
Blast Radius: 1.7
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 1,952 total
Affected Version Ranges: >= 4.0.0-alpha1, < 4.0.0, < 3.3.4
Fixed in: 4.0.0, 3.3.4
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 4.0.0-alpha1, 4.0.0-beta, 4.0.0-rc
All unaffected versions: 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4