A vulnerability classified as critical was found in uTorrent (Peer-to-Peer Software) (version unknown). This vulnerability affects an unknown function of the component PRNG. The manipulation with an unknown input leads to a improper authentication vulnerability. The CWE definition for the vulnerability is CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was released 01/31/2018 by Tavis Ormandy (taviso) as confirmed bug report (Website). The advisory is available at bugs.chromium.org. The public release was coordinated with the vendor. This vulnerability was named CVE-2018-25043. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. Technical details are unknown but a public exploit is available. The advisory points out:

I noticed that utorrent is using unmodified mersenne twister to generate authentication tokens and cookies, session identifiers, pairing keys, and so on. The PRNG is seeded with GetProcessId(), GetTickCount() etc. That is already not great quality seed data, but mersenne twister makes no guarantees that someone who can view sample output can't reconstruct the state of the PRNG.

It is declared as proof-of-concept.

Upgrading eliminates this vulnerability.

Additional details are provided at math.sci.hiroshima-u.ac.jp. Entries connected to this vulnerability are available at 113803, 113804, 113805 and 113807.

Productinfo

Type

• Peer-to-Peer Software

Name

• uTorrent

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion