CVE-2017-11133 in StashCat
Summary
by MITRE
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. To encrypt messages, AES in CBC mode is used with a pseudo-random secret. This secret and the IV are generated with math.random() in previous versions and with CryptoJS.lib.WordArray.random() in newer versions, which uses math.random() internally. This is not cryptographically strong.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/26/2020
The vulnerability identified as CVE-2017-11133 affects the StashCat messaging application across multiple platforms including Android, Web, and Desktop versions. This security flaw resides in the cryptographic implementation used for message encryption, specifically within the encryption algorithm configuration and random number generation processes. The issue demonstrates a fundamental weakness in the application's approach to cryptographic security, where the use of insecure random number generation undermines the integrity of the encryption mechanism. The vulnerability impacts versions through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop, indicating a widespread problem affecting the entire product line during these release cycles.
The core technical flaw involves the implementation of AES encryption in CBC mode with weak random number generation for both the encryption key and initialization vector. The application's use of math.random() for generating cryptographic secrets represents a critical failure in cryptographic best practices, as this function is designed for general-purpose randomization rather than cryptographic security. Even the newer versions that attempt to use CryptoJS.lib.WordArray.random() are ultimately compromised because this function internally relies on math.random(), creating a false sense of security. This design flaw directly violates established cryptographic principles and standards, as the randomness used for cryptographic purposes must meet specific requirements for unpredictability and statistical randomness to prevent attackers from deriving the encryption keys through various cryptanalytic techniques.
The operational impact of this vulnerability is severe as it fundamentally compromises the confidentiality of encrypted messages within the StashCat application. Attackers who can predict or reproduce the pseudo-random sequences used for encryption keys and IVs can decrypt intercepted communications without authorization. This vulnerability falls under CWE-330 Use of Insufficiently Random Values, which is classified as a high-severity weakness in the Common Weakness Enumeration system. The attack surface is particularly concerning given that the vulnerability affects multiple platform implementations, meaning that successful exploitation could compromise communications across all versions of the application. The weakness creates opportunities for passive eavesdropping attacks where adversaries can intercept and decrypt sensitive messages, potentially exposing personal information, communications, or business data.
Mitigation strategies for this vulnerability require immediate implementation of cryptographically secure random number generation throughout the application's cryptographic operations. The solution involves replacing math.random() and CryptoJS.lib.WordArray.random() with properly implemented cryptographic random number generators that meet industry standards such as those specified in NIST SP 800-90A. Organizations should ensure that all cryptographic keys and initialization vectors are generated using cryptographically secure pseudo-random number generators that provide sufficient entropy and unpredictability. The application developers must also conduct comprehensive cryptographic reviews and implement proper key management practices, including the use of established cryptographic libraries that provide secure random number generation capabilities. Additionally, the affected versions should be immediately updated to patched releases that address the random number generation weakness, and users should be advised to regenerate their encryption keys to ensure that previously compromised communications cannot be decrypted by attackers who may have obtained access to the vulnerable system. This vulnerability also aligns with ATT&CK technique T1548.001 for privilege escalation and T1005 for data theft, as it enables unauthorized access to encrypted communications and potentially sensitive data stored within the application.