CVE-2023-31147 : c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom()

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

Published 2023-05-25 22:15:10

Updated 2023-10-31 16:06:05

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-31147

Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 38
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Matching versions
C-ares Project » C-ares
Versions before (<) 1.19.1
cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-31147

EPSS FAQ

0.33%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 54 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-31147

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	3.9	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2023-31147

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2023-31147

https://security.gentoo.org/glsa/202310-09

c-ares: Multiple Vulnerabilities (GLSA 202310-09) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/

[SECURITY] Fedora 37 Update: c-ares-1.19.1-1.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1

Release 1.19.1 · c-ares/c-ares · GitHub
Release Notes

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/

[SECURITY] Fedora 38 Update: c-ares-1.19.1-1.fc38 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2

Insufficient randomness in generation of DNS query IDs · Advisory · c-ares/c-ares · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2023-31147

Products affected by CVE-2023-31147

Exploit prediction scoring system (EPSS) score for CVE-2023-31147

CVSS scores for CVE-2023-31147

CWE ids for CVE-2023-31147

References for CVE-2023-31147