CVE-2019-25089

A vulnerability has been found in Morgawr Muon 0.1.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file src/muon/handler.clj. The manipulation leads to insufficiently random values. The attack can be launched remotely. Upgrading to version 0.2.0-indev is able to address this issue. The name of the patch is c09ed972c020f759110c707b06ca2644f0bacd7f. It is recommended to upgrade the affected component. The identifier VDB-216877 was assigned to this vulnerability.

Weakness

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Affected Software

Potential Mitigations

• Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
• In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
• Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a “random enough” number.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/112.html
• https://cwe.mitre.org/data/definitions/485.html
• https://cwe.mitre.org/data/definitions/59.html

References

• https://github.com/Morgawr/Muon/commit/c09ed972c020f759110c707b06ca2644f0bacd7f
• https://github.com/Morgawr/Muon/issues/4
• https://vuldb.com/?ctiid.216877
• https://vuldb.com/?id.216877