ZF2013-02: Potential Information Disclosure and Insufficient Entropy vulnerabilities in Zend\Math\Rand and Zend\Validate\Csrf Components
In Zend Framework 2, the
Zend\Math\Rand component generates
random bytes using the OpenSSL or Mcrypt extensions when available but will
otherwise use PHP's
mt_rand() function as a fallback. All
mt_rand() are predictable for the same PHP
process if an attacker can brute force the seed used by the
Marsenne-Twister algorithm in a Seed Recovery Attack. This attack can be
successfully applied with minimum effort if the attacker has access to
either a random number from
mt_rand() or a Session ID
generated without using additional entropy. This makes
mt_rand() unsuitable for generating non-trivial random bytes
since it has Insufficient Entropy to protect against brute force attacks on
Zend\Validate\Csrf component generates CSRF tokens by SHA1
hashing a salt, random number possibly generated using
mt_rand() and a form name. Where the salt is known, an
attacker can brute force the SHA1 hash with minimum effort to discover the
random number when
mt_rand() is utilised as a fallback to the
OpenSSL and Mcrypt extensions. This constitutes an Information Disclosure
where the recovered random number may itself be brute forced to recover the
seed value and predict the output of other
mt_rand() calls for
the same PHP process. This may potentially lead to vulnerabilities in
areas of an application where
mt_rand() calls exist beyond the
scope of Zend Framework.
Zend Framework have revised the
Zend\Math\Rand component to replace the
mt_rand() fallback for OpenSSL/Mcrypt with Anthony Ferrara's
RandomLib, incorporating an additional
entropy source based on source code published by George Argyros. The new
fallback collects entropy from numerous sources other than PHP's internal seed
mechanism and extracts random bytes from the resulting mixed entropy pool.
If you are using either
Zend\Validate\Csrf, do not have either the OpenSSL or Mcrypt
extensions installed in PHP, and are on a non-Unix-like system, we
recommend upgrading immediately to version 2.0.8 or 2.1.4.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
- Pádraic Brady for identifying and reporting the issue, as well as providing a patch to resolve the issue
- Enrico Zimuel for collaborating on and reviewing the solution
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at email@example.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)
Released Thu, 14 March 2013 10:00:00 -0500.