Predictable PRNG seeding in QAbstractOAuth (CVE-2024-36048) #shorts #breaking
CVE
This CVE, identified as CVE-2024-36048, highlights a significant security vulnerability in the Qt framework's network authorization component. Specifically, the vulnerability arises due to predictable random number generation in QAbstractOAuth. This vulnerability can be found in versions of Qt Network Authorization prior to 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1. Due to this flaw, attackers can predict random values, potentially compromising security mechanisms dependent on randomness. The vulnerability was last updated 5 months ago. While it's not a zero-day exploit and no specific attacks have been reported, developers and users of affected Qt versions should be aware of this issue due to the inherent risks associated with predictable random values.
Watch the full video on YouTube: CVE-2024-36048
Remediation and exploitation details
This chain involves the following actors
This following systems are involved
Attack entry point
Remediation actions
Exploitation actions
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
- https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGB6KUPJFQWUBKXVDPJUMAD6KNJJEWPW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZPHAI3DKDCIU6XLNS6PV6GFS2PHH3GZM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOOZZZSK5PNRHFGQMUGUHVYWLILFJCRS/