Bug 828023 (CVE-2013-2213) - VUL-1: CVE-2013-2213: KRandom::random() isn't a secure PRNG
Summary: VUL-1: CVE-2013-2213: KRandom::random() isn't a secure PRNG
Status: RESOLVED UPSTREAM
Alias: CVE-2013-2213
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2013-2213:2.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-03 16:09 UTC by Marcus Meissner
Modified: 2020-04-01 22:08 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-03 16:09:29 UTC 
is public, via oss-sec


http://openwall.com/lists/oss-security/2013/05/28/5

From: Michael Samuel <mik@...net.net>
Subject: KDE Paste Applet

The paste applet included with kdeplasma-addons allows you to define
macros that will copy some generated data into the clipboard, using
simple macros to define the source and format of the data.

The available macros include %{password(...)} which generates "random"
passwords.

Here is the code that generates the passwords (from pastemacroexpander.cpp):

    QDateTime now = QDateTime::currentDateTime();
    qsrand(now.toTime_t() / now.time().msec());
    for (int i = 0; i < charCount; ++i) {
        result += chars[qrand() % chars.count()];
    }

Breaking passwords generated by this (for example from leaked password
hashes) can be done extremely quickly, especially if a password expiry
or other hint is stored with the password.

Workaround: You can change the macro you were using to a %{exec(...)}
macro which calls a secure password generator.  Please select your
replacement carefully.

I reported this to security at kde.org and created a launchpad ticket
against the Ubuntu package on May 13, followed up with a proof of
concept on the 17th, and have received no response at all from either.
 Apologies if that was the wrong contact method.

Regards,
  Michael
Comment 1 Marcus Meissner 2013-07-03 16:11:55 UTC 
actually different issue that got uncovered later in this thread:

http://openwall.com/lists/oss-security/2013/06/26/1
quote:
Fedora and Ubuntu have both pushed out this patch.  Requesting a new CVE
for "KRandom::random() isn't a secure PRNG", since the KDE guys are
convinced that it is.

http://openwall.com/lists/oss-security/2013/06/26/2
quote:
So the thing is it can be completely random, just like a coin flip.
But the search space might be to small (e.g. a 1 bit key based on a
coin flip wouldn't be "secure"). I suspect 2^32 isn't enough any more
either, assuming a 480 core GPU, if you can run 250 cracking attempts
per second per core you can brute force a 2^32 search space in 10
hours or so. Needless to say GPUs are getting pretty cheap. So this
appears to be a textbook example of CWE-334 "Small Space of Random
Values".

Please use CVE-2013-2213 for KDE KRandom::random() CWE-334: Small
Space of Random Values.
Comment 2 Swamp Workflow Management 2013-07-03 22:01:00 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-07-01 14:37:00 UTC 
the KRandom::random() so far its not fixed upstream.

I would leave it for upstream kde