#VU110345 Insufficient Entropy in PHP - CVE-2008-2108

Cybersecurity Help s.r.o.

Published: 2024-02-15 | Updated: 2025-06-08

Vulnerability identifier: #VU110345

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2008-2108

CWE-ID: CWE-331

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: before

External links
https://archives.neohapsis.com/archives/fulldisclosure/2008-05/0103.html
https://www.sektioneins.de/advisories/SE-2008-02.txt
https://www.mandriva.com/security/advisories?name=MDVSA-2008:130
https://www.redhat.com/support/errata/RHSA-2008-0582.html
https://www.mandriva.com/security/advisories?name=MDVSA-2008:128
https://www.mandriva.com/security/advisories?name=MDVSA-2008:125
https://secunia.com/advisories/31119
https://www.redhat.com/support/errata/RHSA-2008-0505.html
https://secunia.com/advisories/31200
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00773.html
https://secunia.com/advisories/30757
https://www.mandriva.com/security/advisories?name=MDVSA-2008:126
https://www.redhat.com/support/errata/RHSA-2008-0546.html
https://www.redhat.com/support/errata/RHSA-2008-0545.html
https://secunia.com/advisories/31124
https://www.mandriva.com/security/advisories?name=MDVSA-2008:127
https://www.redhat.com/support/errata/RHSA-2008-0544.html
https://www.mandriva.com/security/advisories?name=MDVSA-2008:129
https://www.ubuntu.com/usn/usn-628-1
https://secunia.com/advisories/30828
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00779.html
https://securityreason.com/securityalert/3859
https://secunia.com/advisories/35003
https://www.debian.org/security/2009/dsa-1789
https://secunia.com/advisories/32746
https://security.gentoo.org/glsa/glsa-200811-05.xml
https://exchange.xforce.ibmcloud.com/vulnerabilities/42226
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10844
https://www.securityfocus.com/archive/1/491683/100/0/threaded

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PHP