Net::NSCA::Client Poor Random Number Generator Vulnerability in Perl
Vulnerability
A vulnerability exists in Net::NSCA::Client versions through 0.009002 for Perl, due to the use of a weak random number generator. The issue arises because version 0.003 switched from Crypt::Random to Data::Rand::Obscure for generating random initialization vectors. Data::Rand::Obscure relies on Perl's built-in rand() function, which is not suitable for cryptographic purposes. This vulnerability can lead to predictable initialization vectors, potentially allowing for cryptographic attacks.
Impact
The vulnerability can lead to predictable initialization vectors, which may allow for cryptographic attacks, such as decrypting data or forging messages.
Remediation
Users can upgrade to Net::NSCA::Client version 0.009002 or later, which addresses the vulnerability by switching back to Crypt::Random for generating initialization vectors. Instructions for upgrading can be found on the MetaCPAN page for Net::NSCA::Client.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.