Security

Security Advisory: ZF2016-01

ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1

We discovered several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. These random number generators are used in the following method calls:

  • Zend_Ldap_Attribute::createPassword
  • Zend_Form_Element_Hash::_generateHash
  • Zend_Gdata_HttpClient::filterHttpRequest
  • Zend_Filter_Encrypt_Mcrypt::_srand
  • Zend_OpenId::randomBytes

In each case, the methods were using rand() or mt_rand(), neither of which can generate cryptographically secure values. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Moreover, we discovered a potential security issue in the usage of the openssl_random_pseudo_bytes() function in Zend_Crypt_Math::randBytes, reported in PHP BUG #70014, and the security implications reported in a discussion on the random_compat library.

Action Taken

We replaced the usage of rand() and mt_rand() with the random generators of ZF1 implemented in Zend_Crypt_Math().

Moreover, we removed the usage of openssl_random_pseudo_bytes() functions in Zend_Crypt_Math::randBytes(). This removal is not a BC break for Linux users thanks to the usage of /dev/urandom as an entropy source. For Windows users, this can be a BC break if the Mcrypt extension is not enabled.

The following releases contain the fixes:

  • Zend Framework 1.12.18

Recommendations

If you are using an affected version of PHP, we highly recommend upgrading immediately to Zend Framework 1.12.18.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Brian Engert of Soliant Consulting, who discovered, reported, and proposed a patch for the issue;
  • Enrico Zimuel, who tested the patch and added the patch for the OpenSSL usage removal.

Released 2016-04-13

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts