Bug 978243 (CVE-2013-2213)

Summary: CVE-2013-2213 KDE KRandom::random() CWE-334: Small Space of Random Values
Product: [Other] Security Response Reporter: Garth Mollett <gmollett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dvratil, jgrulich, jreznik, kevin, ltinkl, rdieter, rnovacek, smparrish, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-08 03:51:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 978246, 978247    
Bug Blocks: 978251    

Description Garth Mollett 2013-06-26 07:31:04 UTC 
Michael Samuel (mik) reports:
KRandom::random() should not be considered a secure PRNG due to having a limited space of random values (32bits).

Reference:
http://openwall.com/lists/oss-security/2013/06/26/1
http://openwall.com/lists/oss-security/2013/06/26/2
Comment 1 Garth Mollett 2013-06-26 07:43:02 UTC 
Created kdelibs tracking bugs for this issue

Affects: fedora-all [bug 978246]
Comment 2 Garth Mollett 2013-06-26 07:43:13 UTC 
Created kdelibs3 tracking bugs for this issue

Affects: fedora-all [bug 978247]
Comment 3 Huzaifa S. Sidhpurwala 2013-07-08 03:24:46 UTC 
The KRandom::random() function is written using the glibc srand()/rand() functions. 

kdecore/util/krandom.cpp:

     39       int fd = KDE_open("/dev/urandom", O_RDONLY);
     40       if (fd < 0 || ::read(fd, &seed, sizeof(seed)) != sizeof(seed))
     41       {
     42             // No /dev/urandom... try something else.
     43             srand(getpid());
     44             seed = rand()+time(0);
     45       }
     46       if (fd >= 0) close(fd);
     47       srand(seed);
     48    }
     49    return rand();

Krandom::random() tries to read the seed from /dev/urandom. If it is not able to open /dev/urandom, it uses a combination of the pid and system time to derive a seed (more predictable then /dev/urandom ofcourse). This seed is then used to derive random numbers via the glibc, rand() function.

Note: glibc's rand() function is based on Linear congruential generator and is not recommended to be used for cryptographic purposes which includes generation of random passwords/keys for desktop applications.

The same applies to other pseudo-random number generator functions like KRandom::random() which are based on glibc's rand().

Red Hat recommends use of the following functions for generating unpredictable and non-repeating values pseudo-random numbers.

http://docs.fedoraproject.org/en-US/Fedora_Security_Team//html/Defensive_Coding/ch10s02.html