CVE Vulnerabilities

CVE-2024-1579

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Published: Apr 29, 2024 | Modified: Apr 30, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Secomea GateManager (Webserver modules) allows Session Hijacking.This issue affects GateManager: before 11.2.624071020.

Weakness

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Extended Description

	   PRNGs are deterministic and, while their output appears
	   random, they cannot actually create entropy. They rely on
	   cryptographically secure and unique seeds for entropy so
	   proper seeding is critical to the secure operation of the
	   PRNG.

	   Management of seeds could be broken down into two main areas:
	   

		 
		 
	   

		   PRNGs require a seed as input to generate a stream of
		   numbers that are functionally indistinguishable from
		   random numbers.  While the output is, in many cases,
		   sufficient for cryptographic uses, the output of any
		   PRNG is directly determined by the seed provided as
		   input. If the seed can be ascertained by a third party,
		   the entire output of the PRNG can be made known to
		   them. As such, the seed should be kept secret and
		   should ideally not be able to be guessed. For example,
		   the current time may be a poor seed. Knowing the
		   approximate time the PRNG was seeded greatly reduces
		   the possible key space.
		 

		   Seeds do not necessarily need to be unique, but reusing seeds may open up attacks if the seed is discovered.

References