CVE-2013-7372 : The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/cryp

The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.

Published 2014-04-29 20:55:09

Updated 2014-04-30 14:23:47

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2013-7372

Probability of exploitation activity in the next 30 days: 0.24%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 64 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-7372

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2013-7372

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-7372

http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf

Exploit
https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java

luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java - platform/libcore - Git at Google
Patch
https://bitcoin.org/en/alert/2013-08-11-android

Android Security Vulnerability
http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html

Android Developers Blog: Some SecureRandom Thoughts
Patch

CVEs referencing this url

Products affected by CVE-2013-7372

Apache » Harmony » Update M3
Versions up to, including, (<=) 6.0
cpe:2.3:a:apache:harmony:*:m3:*:*:*:*:*:*
Matching versions
Google » Android
Versions up to, including, (<=) 4.3.1
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0.1
cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0
cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0.2
cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.1
cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0.4
cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.0.3
cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.2
cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.1.2
cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.2.1
cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.3
cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 4.2.2
cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-7372

Exploit prediction scoring system (EPSS) score for CVE-2013-7372

CVSS scores for CVE-2013-7372

CWE ids for CVE-2013-7372

References for CVE-2013-7372

Products affected by CVE-2013-7372