ZendFramework1 Potential Insufficient Entropy Vulnerability

2024-06-0722:26:25

CWE-331

GitHub Advisory Database

github.com

zendframework1

insufficient entropy

cryptographically secure

information disclosure

openssl_random_pseudo_bytes

php bug 70014

random_compat library

6.8 Medium

AI Score

Confidence

Low

JSON

We discovered several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. These random number generators are used in the following method calls:

Zend_Ldap_Attribute::createPassword
Zend_Form_Element_Hash::_generateHash
Zend_Gdata_HttpClient::filterHttpRequest
Zend_Filter_Encrypt_Mcrypt::_srand
Zend_OpenId::randomBytes

In each case, the methods were using rand() or mt_rand(), neither of which can generate cryptographically secure values. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Moreover, we discovered a potential security issue in the usage of the openssl_random_pseudo_bytes() function in Zend_Crypt_Math::randBytes, reported in PHP BUG #70014, and the security implications reported in a discussion on the random_compat library.

Affected configurations

Vulners

Node

zendframeworkzendframework1Range<1.12.18

CPENameOperatorVersion
zendframework/zendframework1lt1.12.18

CPE	Name	Operator	Version
	zendframework/zendframework1	lt	1.12.18

References

framework.zend.com/security/advisory/ZF2016-01

github.com/advisories/GHSA-8xhv-gqm4-3w99

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2016-01.yaml

6.8 Medium

AI Score

Confidence

Low

JSON