Vigil@nce - libcurl: predictable random via randit
February 2017 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can predict randoms of randit() of libcurl.
– Impacted products: curl.
– Severity: 2/4.
– Creation date: 29/12/2016.
DESCRIPTION OF THE VULNERABILITY
The libcurl library uses randit() since version 7.52.0, to
generate randoms (used by: Digest/NTLM authentication, boundary
strings, etc.).
However, this function is incorrectly implemented, and the random
is predictable or weak.
An attacker can therefore predict randoms of randit() of libcurl.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/libcurl-predictable-random-via-randit-21461