CVE-2023-39910

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-39910
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39910.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-39910
Published
2023-08-09T03:15:44Z
Modified
2025-01-14T11:53:48.444925Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from "bx seed" entropy output and steal funds. (Affected users need to move funds to a secure new cryptocurrency wallet.) NOTE: the vendor's position is that there was sufficient documentation advising against "bx seed" but others disagree. NOTE: this was exploited in the wild in June and July 2023.

References

Affected packages

Git / github.com/libbitcoin/libbitcoin-explorer

Affected ranges

Type
GIT
Repo
https://github.com/libbitcoin/libbitcoin-explorer
Events

Affected versions

v3.*

v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0