CVE-2024-56370 - Insecure Randomness in Net::Xero Perl Library Exposes Sensitive Data

CVE-2024-56370 highlights a major security vulnerability in the Perl module Net::Xero (version .044 and earlier). This widely-used library helps manage connections to the Xero accounting API. The core problem is that Net::Xero depends on the Data::Random Perl library to generate random numbers for cryptographic functions, and Data::Random uses Perl's built-in rand() function — which is not safe for security-critical tasks.

If you are using Net::Xero for authentication tokens, secrets, or session keys, this weakness may allow attackers to predict or brute-force values, potentially accessing sensitive information in your implementation.

The Problem: Weak Random Numbers

Generating strong, unpredictable random numbers is essential in any cryptographic operation. Perl's rand() is a pseudo-random number generator (PRNG) designed for simulations or simple randomness—not high-stakes cryptography.

Temporary keys and tokens

Documentation for Data::Random:
> "Useful mostly for test programs."

Despite this warning, Net::Xero uses it for real-world cryptographic needs.

Key Snippet From Net::Xero

use Data::Random qw(rand_words);

my @nonce = rand_words(size => 10);  # Used as part of an authentication token

What is wrong here?
If you know the time the server started, or can guess previous random outputs, you may be able to calculate or guess the next value produced by rand().

How rand() Can Be Exploited

Unlike /dev/urandom, Perl's rand() function is *not* unpredictable. Here's a super simplified version to show the risk:

# Somewhere inside Data::Random:
my @choices = ('a'..'z', 'A'..'Z', ..9);
my $random_char = $choices[ int(rand(@choices)) ];

An attacker with a few observed outputs can brute-force the internal seed. This is classically insecure.

Attacker captures some nonces:

By analyzing network traffic or logs, an attacker records a few token values created using Data::Random.

Predict future tokens:

The attacker can now 'guess' upcoming tokens and potentially hijack sessions, replay authentications, or access restricted resources.

Simple Perl Demo (Predicting rand())

# If attacker knows two outputs, they can guess the seed:
srand($possible_seed);
if (rand() == $captured_value1 && rand() == $captured_value2) {
    say "Found the seed!";
}

Of course, the above is a simplification, but it's the same principle that breaks old web authentication systems!

Replace insecure randomness with Perl’s cryptographically secure source

use Bytes::Random::Secure qw(random_string);

my $secure_token = random_string( length => 32 );

Or, on recent Perl

use Crypt::PRNG;
my $secure_nonce = Crypt::PRNG::random_bytes(16);

Recommendations

- Audit: If you use Net::Xero <.045, immediately audit any code using random values from Data::Random, especially for authentication, tokens, or cryptographic use.
- Upgrade: Watch Net::Xero’s release page for security advisories and patches.
- Validate libraries: Check documentation for any warning like "only for tests"—do not use test randomness in production!

References

- CVE-2024-56370 at NVD
- Net::Xero on MetaCPAN
- Data::Random documentation
- Perl rand() documentation

Conclusion

CVE-2024-56370 is a critical reminder: *never use basic pseudorandom functions for anything that controls access or secrets*. Audit all random number sources in your Perl (or any!) codebase, and make sure you use modules built for security, not for fun or testing.

Upgrading and patching quickly can mean the difference between safe data and a costly breach. Stay vigilant!

Timeline

Published on: 04/05/2025 19:15:38 UTC
Last modified on: 04/14/2025 18:15:28 UTC