CVE-2017-2625

Published: Jul 27, 2018Modified: Nov 21, 2024

5.5

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions.

Affected (8)

Products: X.org: Libxdmcp · Redhat: Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Server Aus, Enterprise Linux Server Eus, Enterprise Linux Workstation

1 product

6 products

Enterprise Linux

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Workstation

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
X.org Libxdmcp	Before 1.1.2

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Server Aus	Version 7.4
Redhat Enterprise Linux Server Eus	Version 7.4
Redhat Enterprise Linux Server Eus	Version 7.5
Redhat Enterprise Linux Workstation	Version 7.0

Related CWEs

Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

References (16)

http://www.securityfocus.com/bid/96480

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037919

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:1865

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2625

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://cgit.freedesktop.org/xorg/lib/libXdmcp/commit/?id=0554324ec6bbc2071f5d1f8ad211a1643e29eb1f

Source: secalert@redhat.com

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2019/11/msg00024.html

Source: secalert@redhat.com

https://security.gentoo.org/glsa/201704-03

Source: secalert@redhat.com

Third Party Advisory

https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/

Source: secalert@redhat.com

ExploitThird Party Advisory

http://www.securityfocus.com/bid/96480

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037919

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:1865

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2625

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://cgit.freedesktop.org/xorg/lib/libXdmcp/commit/?id=0554324ec6bbc2071f5d1f8ad211a1643e29eb1f

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2019/11/msg00024.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201704-03

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.