CVE-2018-16115
RNG Error vulnerability in akka-actor_2.11 (Maven)
What is CVE-2018-16115 About?
This vulnerability in Lightbend Akka allows for message disclosure and modification due to a predictable random number generator (RNG) error. An attacker can exploit this weakness to compromise communication, making it relatively easy to eavesdrop, replay, or alter messages. The flaw stems from a bug in custom RNG implementations that were historically recommended in documentation.
Affected Software
- com.typesafe.akka:akka-actor_2.11
- >2.5.0, <2.5.16
- com.typesafe.akka:akka-actor_2.12
- >2.5.0, <2.5.16
Technical Details
The vulnerability arises from a bug in custom random number generator (RNG) implementations, specifically AES128CounterSecureRNG and AES256CounterSecureRNG, used in Akka Remoting for TLS. These implementations had a flaw causing generated numbers to repeat after only a few bytes, making them highly predictable. Although not configured by default, examples in documentation implicitly recommended their use. An attacker can leverage this predictability to compromise the TLS handshake or subsequent encrypted communication, enabling them to eavesdrop on sensitive messages, replay captured messages to disrupt or impersonate, or modify message contents for malicious purposes.
What is the Impact of CVE-2018-16115?
Successful exploitation may allow attackers to compromise the confidentiality, integrity, and availability of communication channels.
What is the Exploitability of CVE-2018-16115?
Exploitation of this vulnerability requires the target Akka application to be configured with the vulnerable AES128CounterSecureRNG or AES256CounterSecureRNG. The complexity is moderate, as it involves analyzing the predictable RNG output to reconstruct or manipulate cryptographic keys or session parameters. There are no explicit authentication or privilege requirements to initiate the attack against the communication channel itself, potentially allowing remote attackers to compromise the communication if the vulnerable RNG is in use.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-16115?
Available Upgrade Options
- com.typesafe.akka:akka-actor_2.11
- >2.5.0, <2.5.16 → Upgrade to 2.5.16
- com.typesafe.akka:akka-actor_2.12
- >2.5.0, <2.5.16 → Upgrade to 2.5.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2018-16115?
Similar Vulnerabilities: CVE-2008-4107 , CVE-2013-6388 , CVE-2016-1000338 , CVE-2017-1000007 , CVE-2019-13627
