CVE-2024-56370: Net::Xero .044 and Earlier for Perl Uses Insecure rand() Function for Cryptographic Functions, Compromising Security.

Net::Xero is a Perl module designed to interact with the Xero API, which is often used for managing financial accounts and businesses online. A recent discovery has identified a worrying problem in versions .044 and earlier of the module - the rand() function has been used as the default source of entropy for cryptographic functions. This poses a significant risk to the security of users relying on this Perl module.

The issue with the rand() function

The rand() function is a pseudorandom number generator (PRNG) built into the Perl programming language. While it can be useful in many applications, it is not cryptographically secure. This means that it is not suitable for use in cryptographic functions, including those found in Net::Xero.

The problem arises from the fact that Net::Xero uses another Perl module, Data::Random, for generating random data. Data::Random specifically states in its documentation that it is "useful mostly for test programs," and yet it is being used here in a module where security is of the utmost importance.

At the heart of this issue lies the fact that Data::Random relies on the vulnerable rand() function to generate random data. Consequently, using Data::Random as the source of entropy within Net::Xero is deeply concerning.

Here is a code snippet from Net::Xero .044, highlighting the use of Data::Random

use Data::Random qw(rand_chars);

# ...

my $nonce = join('', rand_chars(size => 32, set => 'all'));

Exploit details

An attacker can exploit this weakness by predicting the output of the rand() function through various techniques, enabling them to compromise the cryptographic functions within Net::Xero. This opens up the possibility of forged tokens and unauthorized access to sensitive data in applications relying on these cryptographic functions.

While the CVE has been assigned as CVE-2024-56370, it is crucial that developers using the affected versions of Net::Xero update their modules to fix this issue. To mitigate the risks, it is recommended that users switch to a cryptographically secure random number generator.

Original references

1. Net::Xero Perl module: https://metacpan.org/pod/Net::Xero
2. Data::Random Perl module: https://metacpan.org/pod/Data::Random
3. CVE-2024-56370: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56370

Conclusion

In summary, the use of the insecure rand() function in the cryptographic functions of Net::Xero .044 and earlier poses a grave security risk. It is essential for developers and businesses using this Perl module to update to a version that eliminates this vulnerability to protect their applications and user data from potential exploits.

Timeline

Published on: 04/05/2025 19:15:38 UTC
Last modified on: 04/14/2025 18:15:28 UTC