CVE-2013-7372
published 2014-04-29CVE-2013-7372: The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in…
PriorityP273medium5CVSS 2.0
AVNACLAuNCNIPAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.34%
81.5th percentile
The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | harmony | <= 6.0 | — |
| android | <= 4.3.1 | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fgwm-j3p8-w23c: The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl
ghsa_unreviewed·2022-05-17
CVE-2013-7372 [MEDIUM] GHSA-fgwm-j3p8-w23c: The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl
The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.
VulnCheck
Apache Harmony SecureRandom Security Bypass
vulncheck·2013·CVSS 5.0
CVE-2013-7372 [MEDIUM] Apache Harmony SecureRandom Security Bypass
Apache Harmony SecureRandom Security Bypass
The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.
Affected: Apache harmony
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigat
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.htmlhttp://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdfhttps://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.javahttps://bitcoin.org/en/alert/2013-08-11-androidhttp://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.htmlhttp://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdfhttps://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.javahttps://bitcoin.org/en/alert/2013-08-11-android
2014-04-29
Published
Exploited in the wild