Main Vulnerability Database Vulnerabilities #VU97632

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Linux target framework (tgt) - CVE-2024-45751

Published: September 20, 2024

Vulnerability identifier: #VU97632

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-45751

CWE-ID: CWE-338

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: FUJITA Tomonori

Affected software:
Linux target framework (tgt)

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass CHAP authentication.

The vulnerability exists due to the application attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always identical.This results in predictable challenges which an attacker capable of recording network traffic between iSCSI target and initiator can abuse to bypass CHAP authentication by replaying previous responses.

How to mitigate CVE-2024-45751

Install updates from vendor's website.

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Linux target framework (tgt) - CVE-2024-45751

Detailed vulnerability description

How to mitigate CVE-2024-45751

Sources

Please verify you're human