SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (VoIP/Phone/FAX)  >   Google Android Vendors:   Google
Google Android PRNG Initialization Flaw Causes Some Cryptographic Applications to Be Less Secure
SecurityTracker Alert ID:  1028916
SecurityTracker URL:  http://securitytracker.com/id/1028916
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 15 2013
Impact:   Disclosure of system information, Disclosure of user information, Host/resource access via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Google Android. The system may not properly generate pseudo-random numbers, making cryptographic applications less secure.

The Java Cryptography Architecture (JCA), including the SecureRandom() function, does not properly seed the pseudo-random number generator (PRNG). As a result, cryptographic applications using JCA functions may not be secure.

Applications that use the OpenSSL PRNG without explicit initialization are also affected.

Applications using TLS/SSL connections based on the HttpClient and java.net classes are not affected.

This vulnerability has been actively exploited against Android-based BitCoin wallets.

The original BitCoin advisory is available at:

http://bitcoin.org/en/alert/2013-08-11-android

The original advisory is available at:

http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html

Impact:   The system may not properly generate pseudo-random numbers, making cryptographic applications less secure.
Solution:   The vendor has issued a fix for the Android OpenSSL implementation and has distributed patches to Android Open Handset Alliance (OHA) partners.

The vendor recommends that developers using JCA for key generation, signing, or random number generation update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random, as described at:

http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html

Vendor URL:  www.android.com/ (Links to External Site)
Cause:   Randomization error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC