Bug 2380942 (CVE-2025-40918)

Summary: CVE-2025-40918 authen-sasl: Authen::SASL::Perl::DIGEST_MD5 insecure cnonce generation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: crizzo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A client nonce (cnonce) generation flaw has been discovered in Authen::SASL::Perl::DIGEST_MD5. The cnonce is generated from an MD5 hash of the PID, the epoch time, and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2381430, 2381431, 2381432, 2381433    
Bug Blocks:    

Description OSIDB Bzimport 2025-07-16 15:01:24 UTC 
Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely.

The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation
 depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.