#VU93491 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in DNS library in Go - CVE-2019-19794


Vulnerability identifier: #VU93491

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-19794

CWE-ID: CWE-338

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
DNS library in Go
Universal components / Libraries / Libraries used by multiple products

Vendor: miekg

Description

The vulnerability allows a remote attacker to poison DNS cache.

The vulnerability exists due to usage of predictable random numbers for TXID. A remote attacker can forge DNS responses.


Mitigation
Install updates from vendor's website.

Vulnerable software versions

DNS library in Go: before 1.1.25

External links
https://github.com/coredns/coredns/issues/3519
https://github.com/coredns/coredns/issues/3547
https://github.com/miekg/dns/compare/v1.1.24...v1.1.25
https://github.com/miekg/dns/issues/1043
https://github.com/miekg/dns/pull/1044

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat OpenStack 16.2 packages
CoreDNS update for Miek Gieben DNS library
Use of cryptographically weak pseudo-random number generator in Miek Gieben DNS library