CVE-2017-16028
cryptographically weak pseudo-random number generator vulnerability in randomatic (npm)
What is CVE-2017-16028 About?
Affected versions of `randomatic` use a cryptographically weak pseudo-random number generator, leading to predictable values instead of genuine randomness. This can severely impact applications relying on randomness for security-sensitive operations. Exploitation is generally easy for an attacker who can predict or influence the seed, but depends on the context of 'randomness' usage.
Affected Software
Technical Details
The vulnerability in randomatic versions prior to 3.0.0 stems from its reliance on a cryptographically weak pseudo-random number generator (PRNG). Unlike cryptographically secure PRNGs, a weak PRNG produces sequences of 'random' numbers that, given enough output or knowledge about the initial seed, can be predicted by an attacker. This lack of true unpredictability makes the generated values unsuitable for security-sensitive tasks such as generating session tokens, encryption keys, password resets, or other unique identifiers. An attacker could potentially predict subsequent 'random' values, leading to various security bypasses or compromises depending on how these values are used within an application.
What is the Impact of CVE-2017-16028?
Successful exploitation may allow attackers to predict security-sensitive values, such as session tokens, temporary passwords, or unique identifiers, potentially leading to unauthorized access, session hijacking, or other security bypasses, compromising confidentiality and integrity.
What is the Exploitability of CVE-2017-16028?
Exploitation complexity varies from low to moderate, depending on the application's use of randomatic and the attacker's ability to observe or infer generated values. No specific authentication or privilege is typically required beyond what is needed to interact with the application. The attack can be remote if the predictable 'random' values are exposed over a network, or local if internal components are being targeted. Prerequisites often involve the application using a vulnerable version of randomatic for security-critical functions. Special conditions may include the ability for an attacker to obtain several generated 'random' strings to reverse-engineer the PRNG's state or seed. Risk factors are significantly increased when randomatic is used in contexts like session ID generation, token creation, or any scenario where unpredictability is crucial for security.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16028?
Available Upgrade Options
- randomatic
- <3.0.0 → Upgrade to 3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/tableflip/react-native-meteor-oauth/blob/a7eb738b74c469f5db20296b44b7cae4e2337435/src/meteor-oauth.js#L66
- https://github.com/jonschlinkert/randomatic/commit/4a526959b3a246ae8e4a82f9c182180907227fe1#diff-b9cfc7f2cdf78a7f4b91a753d10865a2
- https://www.npmjs.com/advisories/157
- https://github.com/tableflip/react-native-meteor-oauth/blob/a7eb738b74c469f5db20296b44b7cae4e2337435/src/meteor-oauth.js#L66
- https://github.com/advisories/GHSA-6g33-f262-xjp4
- https://osv.dev/vulnerability/GHSA-6g33-f262-xjp4
- https://nvd.nist.gov/vuln/detail/CVE-2017-16028
- https://nodesecurity.io/advisories/157
What are Similar Vulnerabilities to CVE-2017-16028?
Similar Vulnerabilities: CVE-2016-1000140 , CVE-2016-1000141 , CVE-2016-1000142 , CVE-2016-1000143 , CVE-2016-1000216
