Crypt::PasswdMD5 Insecure Random Salt Generation Vulnerability

A vulnerability exists in Crypt::PasswdMD5 versions through 1.42 for Perl, where the module generates insecure random values for salts used in password hashing. The issue arises because the built-in rand function is predictable and not suitable for cryptographic purposes, leading to potential weaknesses in password security.

Impact

This vulnerability can result in the use of weak, predictable salts in password hashing, which may be exploited to compromise password security.

Reproduction

The vulnerability can be reproduced by using Crypt::PasswdMD5 to generate a random salt for password hashing. The random_md5_salt function, which is available in versions through 1.42, uses the predictable rand function to create salts. This can be verified by observing the predictability of the generated salts, which can be replicated or anticipated based on the known behavior of the rand function.