Bug 42250 (CVE-2002-1336) - VUL-0: CVE-2002-1336: vnc srandom() vulnerability (CAN-2002-1336)
Summary: VUL-0: CVE-2002-1336: vnc srandom() vulnerability (CAN-2002-1336)
Status: RESOLVED FIXED
Alias: CVE-2002-1336
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Major
Target Milestone: ---
Assignee: Ralf Flaxa
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2002-1336: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2003-06-05 05:34 UTC by Ademar de Souza Reis Jr.
Modified: 2021-09-27 10:12 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ademar de Souza Reis Jr. 2003-06-05 05:34:23 UTC 
There is a vnc security fix available (nc-3.3.3r2-436), but there's a pending
vulnerability not fixed:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1336

TightVNC before 1.2.6 generates the same challenge string for multiple
connections, which allows remote attackers to bypass VNC authentication by
sniffing the challenge and response of other users.

Patch:

diff -ur vnc_unixsrc-orig/libvncauth/vncauth.c vnc_unixsrc/libvncauth/vncauth.c
--- vnc_unixsrc-orig/libvncauth/vncauth.c       Thu Apr 29 07:39:15 1999
+++ vnc_unixsrc/libvncauth/vncauth.c    Fri Apr 25 17:03:33 2003
@@ -124,9 +124,15 @@
 vncRandomBytes(unsigned char *bytes)
 {
     int i;
-    unsigned int seed = (unsigned int) time(0);
+    unsigned int seed;
+    static int s_srandom_called = 0;
+
+    if (!s_srandom_called) {
+      seed = (unsigned int)time(0) ^ (unsigned int)getpid();
+      srandom(seed);
+      s_srandom_called = 1;
+    }

-    srandom(seed);
     for (i = 0; i < CHALLENGESIZE; i++) {
        bytes[i] = (unsigned char)(random() & 255);
     }
Comment 1 Olaf Kirch 2003-06-05 19:51:14 UTC 
Hm, where did that come from? 
 
Anyway, it seems we have to do another update for it. Max, can you 
prepare new packages, please?
Comment 2 Reinhard Max 2003-06-07 01:33:17 UTC 
Just submitted the fixed package:
-------------------------------------------------------------------
Thu Jun  5 16:38:25 CEST 2003 - max@suse.de

- security fix: invalid use of srandom(). Bug 42250

-------------------------------------------------------------------

Who will write the patchinfo?
Comment 3 Lars Müller 2003-06-10 17:47:35 UTC 
Did you also fix it for sles7? Ask me if you need help.
Comment 4 Lars Müller 2003-06-10 18:35:38 UTC 
Please add also CAN-2002-1336 to the changelog.
Comment 5 Reinhard Max 2003-06-11 17:02:42 UTC 
Package for SLES7 and patchinfo file submitted.
Comment 6 Ademar de Souza Reis Jr. 2003-06-13 21:58:15 UTC 
Any prevision of when is it going to appear in the UL updates area?
Comment 7 Ralf Flaxa 2003-07-04 18:04:56 UTC 
Released on 2003-06-16.
Comment 8 Marcus Meissner 2007-11-09 19:30:59 UTC 
CVE-2002-1336
Comment 9 Thomas Biege 2009-10-13 19:33:37 UTC 
CVE-2002-1336: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)