What is CVE-2023-31124?

CVE-2023-31124 is a vulnerability in the c-ares asynchronous resolver library that downgrades to using rand() as a fallback, allowing an attacker to take advantage of the lack of randomness in cryptographic keys.

What is the severity of CVE-2023-31124?

CVE-2023-31124 has a severity level of medium, with a CVSS score of 6.5.

What software versions are affected by CVE-2023-31124?

Versions up to and excluding 1.19.1 of the c-ares library and Fedora versions 37 and 38 are affected by CVE-2023-31124.

How can an attacker exploit CVE-2023-31124?

An attacker can exploit CVE-2023-31124 by taking advantage of the lack of randomness in cryptographic keys generated by the fallback rand() function.

Where can I find more information about CVE-2023-31124?

You can find more information about CVE-2023-31124 at the following references: [Red Hat Security Advisory](https://access.redhat.com/security/cve/CVE-2023-31124), [GitHub Security Advisory](https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4), [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209542).

Vulnerability/
CVE-2023-31124

medium

6.5

CWE

330

24/5/2023

25/5/2023

1/2/2024

CVE-2023-31124

First published: Wed May 24 2023(Updated: )

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
C-ares Project C-ares	<1.19.1
Fedoraproject Fedora	=37
Fedoraproject Fedora	=38

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-31124?
CVE-2023-31124 is a vulnerability in the c-ares asynchronous resolver library that downgrades to using rand() as a fallback, allowing an attacker to take advantage of the lack of randomness in cryptographic keys.
What is the severity of CVE-2023-31124?
CVE-2023-31124 has a severity level of medium, with a CVSS score of 6.5.
What software versions are affected by CVE-2023-31124?
Versions up to and excluding 1.19.1 of the c-ares library and Fedora versions 37 and 38 are affected by CVE-2023-31124.
How can an attacker exploit CVE-2023-31124?
An attacker can exploit CVE-2023-31124 by taking advantage of the lack of randomness in cryptographic keys generated by the fallback rand() function.
Where can I find more information about CVE-2023-31124?
You can find more information about CVE-2023-31124 at the following references: [Red Hat Security Advisory](https://access.redhat.com/security/cve/CVE-2023-31124), [GitHub Security Advisory](https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4), [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209542).

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/nvd-api
collector/nvd-index
collector/nvd-latest
vendor/c-ares project
vendor/c-ares
vendor/fedoraproject
vendor/fedora
product/c-ares
canonical/c-ares project c-ares
product/fedora
canonical/fedoraproject fedora
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-31124
version/fedoraproject fedora/37
version/fedoraproject fedora/38