Vision UI Security Kit Cryptographic Weakness in Random Number Generation

A critical cryptographic vulnerability has been identified in the Vision UI library, specifically within the security kit module, in versions 1.4.0 and earlier. The issue arises in the getSecureRandomInt function, which is part of security-kit versions prior to 3.5.0. The vulnerability is caused by a silent 32-bit integer overflow in the function's internal masking logic, leading to a non-uniform distribution of random numbers. This flaw becomes apparent when the specified range between minimum and maximum values exceeds 2^32. The improper masking allows for biased and predictable random number generation, undermining the cryptographic integrity of applications relying on this function.

Impact

Exploitation of this vulnerability allows for biased and predictable random number generation, which can be manipulated to compromise the cryptographic security of features that depend on this functionality. This could lead to easier guessing of secrets, tokens, or other critical data generated by the affected function.

Reproduction

The vulnerability can be reproduced by calling the getSecureRandomInt function with a range that exceeds 2^32. This can be done by specifying a minimum and maximum value that, when calculated, creates a range larger than 2^32. The function will then generate random numbers that are biased and predictable, demonstrating the vulnerability.

Remediation

Users can upgrade to Vision UI version 1.5.0 or later, which includes the necessary fix. For those using the security-kit module independently, version 3.5.0 or later should be used.