OpenCVE

When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret. The tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudflare	Circl

Configuration 1 [-]

cpe:2.3:a:cloudflare:circl:*:*:*:*:*:go:*:*

No data.

References

Link	Providers
https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x

History

No history.

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2023-05-10T11:41:53.902Z

Updated: 2024-08-02T05:57:24.987Z

Reserved: 2023-03-30T15:16:57.957Z

Link: CVE-2023-1732

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-10T12:15:10.523

Modified: 2023-05-17T17:04:45.347

Link: CVE-2023-1732

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1732", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2023-03-30T15:16:57.957Z", "datePublished": "2023-05-10T11:41:53.902Z", "dateUpdated": "2024-08-02T05:57:24.987Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/cloudflare/circl", "defaultStatus": "unaffected", "platforms": ["Go"], "product": "CIRCL", "vendor": "Cloudflare", "versions": [{"lessThan": "<1.3.3", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tom Thorogood"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether <code>crypto/rand.Read()</code> returns an error. In rare deployment cases (error thrown by the <code>Read()</code> function), this could lead to a predictable shared secret.</p><p>The tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides <code>crypto/rand.Reader</code>, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.</p>"}], "value": "When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read()\u00a0returns an error. In rare deployment cases (error thrown by the Read()\u00a0function), this could lead to a predictable shared secret.\n\nThe tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.\n\n"}], "impacts": [{"capecId": "CAPEC-620", "descriptions": [{"lang": "en", "value": "CAPEC-620 Drop Encryption Level"}]}, {"capecId": "CAPEC-20", "descriptions": [{"lang": "en", "value": "CAPEC-20 Encryption Brute Forcing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-755", "description": "CWE-755 Improper Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2023-05-10T11:41:53.902Z"}, "references": [{"url": "https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x"}], "source": {"discovery": "EXTERNAL"}, "title": "Improper random reading in CIRCL", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:57:24.987Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:circl:*:*:*:*:*:go:*:*", "matchCriteriaId": "39A6B412-BB17-403E-B83A-FCFAD155C1B9", "versionEndExcluding": "1.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read()\u00a0returns an error. In rare deployment cases (error thrown by the Read()\u00a0function), this could lead to a predictable shared secret.\n\nThe tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.\n\n"}], "id": "CVE-2023-1732", "lastModified": "2023-05-17T17:04:45.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.2, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2023-05-10T12:15:10.523", "references": [{"source": "cna@cloudflare.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-755"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}