CVE-2013-7373 in Androidinfo

Summary

by MITRE

Android before 4.4 does not properly arrange for seeding of the OpenSSL PRNG, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging use of the PRNG within multiple applications.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/12/2026

The vulnerability identified as CVE-2013-7373 represents a critical weakness in the Android operating system's cryptographic implementation prior to version 4.4. This flaw resides in the improper initialization of the OpenSSL Pseudo-Random Number Generator which serves as the foundation for numerous security mechanisms within the mobile platform. The issue stems from insufficient entropy seeding during the random number generation process, creating predictable patterns that adversaries can exploit to compromise cryptographic protections across multiple applications running on the same device. This weakness directly impacts the integrity of cryptographic operations including SSL/TLS connections, digital signatures, and encryption keys that rely on secure random number generation.

The technical root cause of this vulnerability can be traced to the improper handling of random number seeding within the Android framework's integration with OpenSSL. When multiple applications utilize the same underlying cryptographic libraries, they share the same uninitialized or inadequately seeded PRNG state, enabling attackers to correlate random sequences across different processes and applications. This weakness is categorized under CWE-330 as the use of insufficiently random values, specifically manifesting as inadequate entropy in cryptographic random number generation. The vulnerability allows attackers to predict or reconstruct the random number sequences used by various cryptographic functions, thereby undermining the security guarantees of encryption, authentication, and key generation mechanisms that depend on unpredictable randomness.

The operational impact of this vulnerability extends beyond individual application security to encompass the entire Android ecosystem's cryptographic trust model. Attackers can leverage this weakness to perform session hijacking, forge digital certificates, break SSL/TLS connections, and compromise secure communications between applications and servers. The vulnerability is particularly dangerous in environments where multiple security-sensitive applications run concurrently on the same device, as the predictability of random numbers can be exploited across different security contexts. This flaw enables adversaries to perform advanced persistent attacks where they can anticipate cryptographic outputs and manipulate secure communications, potentially leading to complete system compromise. The vulnerability affects the fundamental security primitives that Android relies upon for maintaining secure communications and protecting user data.

Mitigation strategies for CVE-2013-7373 require immediate system updates to Android version 4.4 or later, where the PRNG seeding mechanism has been properly implemented. Organizations should conduct comprehensive security assessments to identify applications that may be vulnerable due to their reliance on insecure random number generation. System administrators should implement monitoring solutions to detect unusual cryptographic behavior patterns that might indicate exploitation attempts. The remediation process involves updating the operating system to ensure proper entropy collection and seeding of the PRNG, implementing additional entropy sources, and verifying that cryptographic libraries are properly initialized. Security teams should also consider implementing network-based detection measures to identify potential exploitation attempts and establish incident response procedures for dealing with cryptographic compromise scenarios. This vulnerability demonstrates the critical importance of proper random number generation in cryptographic systems and aligns with ATT&CK technique T1083 which covers the discovery of system information through cryptographic weakness exploitation.

Reservation

04/29/2014

Disclosure

04/29/2014

Moderation

accepted

Entry

VDB-69536

CPE

ready

EPSS

0.01144

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!