Amon2::Plugin::Web::CSRFDefender Insecure Session ID Generation Vulnerability

A vulnerability exists in Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl, where the session ID generation is insecure. The 'generate_session_id' function attempts to read bytes from '/dev/urandom'. If this is unavailable, it falls back to a method using the SHA-1 hash, seeded with the built-in rand() function, the process ID (PID), and the high-resolution epoch time. This fallback method is cryptographically weak, as the PID is drawn from a limited range of values and the epoch time can be estimated unless the HTTP Date header reveals it. Versions prior to 7.00 also had this vulnerability, but it was due to a different implementation that relied on the rand() function to create session IDs.

Impact

Exploitation of this vulnerability leads to the generation of predictable and insecure session IDs, which can be exploited in various security functions, including Cross-Site Request Forgery (CSRF) protection.

Remediation

Users are advised to update to Amon2::Plugin::Web::CSRFDefender version 7.04 or later, where this vulnerability has been addressed by using a more secure method for random number generation.