Vulnerability CVE-2017-11671


Published: 2017-07-26   Modified: 2017-07-27

Description:
Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.

Type:

CWE-338

(Use of Cryptographically Weak PRNG)

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.1/10
2.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
GNU -> GCC 

 References:
http://openwall.com/lists/oss-security/2017/07/27/2
http://www.securityfocus.com/bid/100018
https://access.redhat.com/errata/RHSA-2018:0849
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180
https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html

Copyright 2024, cxsecurity.com

 

Back to Top