akka-remote is vulnerable to insecure random number generation. When a custom random number generator is configured, if the AES128CounterSecureRNG
and AES256CounterSecureRNG
are enabled, a malicious user can easily guess the random number used during encryption and possibly eavesdrop onto ongoing communications. This is due a bug in the AES128CounterSecureRNG
and AES256CounterSecureRNG
implementations, causing the generated numbers to repeat themselves after a few bytes.