Use of a Risky Cryptographic Primitive in x360ce/x360ce

Valid

Reported on

Jan 26th 2022

Description

x360ce uses the .NET Random and Guid classes to generate random numbers/bytes that are used for sensitive purposes .

Proof of Concept

None provided.

Impact

This vulnerability is capable of allowing attackers to predict sensitive information on x360ce's backend (see the 'occurances' section for context.)

We are processing your report and will contact the x360ce team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the x360ce team and are waiting to hear back a year ago
x360ce/x360ce maintainer
a year ago

Maintainer

Thank you for reporting. I will see if it can be replaced with more secure classes.

Michael Rowley submitted a
patch
a year ago
Michael Rowley
a year ago

Researcher

No problem, I've submitted a patch for this issue - if it looks good and the character-set looks appropriate could you approve the report on here and merge the patch to main?

(The new version uses RandomNumberGenerator which is a CSPRNG offered by Microsoft as part of the .NET standard System.Security.Cryptography library)

Michael Rowley
a year ago

Researcher

See https://github.com/x360ce/x360ce/pull/1341

x360ce/x360ce maintainer validated this vulnerability a year ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
x360ce/x360ce maintainer marked this as fixed in 4.17 with commit 7a5b0f a year ago
Michael Rowley has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation