Crypt::Random Perl Package Insecure Randomness Provider Vulnerability

A vulnerability exists in the Crypt::Random Perl package, specifically in versions 1.05 through 1.55, where the rand() function, known to be cryptographically weak, is used for cryptographic purposes. This issue is particularly prevalent in the default configuration on Windows versions of Perl, where the rand provider is insecure. If /dev/urandom or an Entropy Gathering Daemon (egd) service is not available, Crypt::Random defaults to the insecure rand provider, which is not suitable for any cryptographic use or situations where randomness is crucial for security.

Impact

The vulnerability allows for the use of insecure randomness in cryptographic functions, which can lead to predictable outcomes in scenarios requiring strong randomness, such as key generation or secure token creation.

Reproduction

To reproduce this vulnerability, use Crypt::Random in a Windows environment with a version of Perl that is prior to 5.16.0. Ensure that /dev/urandom is not available and that no Entropy Gathering Daemon (egd) service is running. In this configuration, Crypt::Random will default to the insecure rand provider, which can be verified by checking the 'Strength' setting, which will indicate a default of 0, signifying the use of the insecure rand provider.

Remediation

Users can update to Crypt::Random version 1.57 or later, where the rand provider has been switched to use Crypt::URandom, a more secure option. Instructions for updating can be found on the module's CPAN page.