Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Enigmail - CVE-2017-17845
Published: December 27, 2017 / Updated: July 17, 2020
Vulnerability identifier: #VU31377
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-17845
CWE-ID: CWE-338
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: enigmail.mozdev.org
Affected software:
Enigmail
Enigmail
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An issue was discovered in Enigmail before 1.9.9. Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp), aka TBE-01-001.
How to mitigate CVE-2017-17845
Install update from vendor's website.
Sources
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.html
- https://www.debian.org/security/2017/dsa-4070
- https://www.mail-archive.com/enigmail-users@enigmail.net/msg04280.html