CVE-2017-2626 - OpenCVE

It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux Server Enterprise Linux Server Eus Enterprise Linux Desktop Enterprise Linux Workstation Enterprise Linux Server Aus
Freedesktop	Libice

Configuration 1 [-]

cpe:2.3:a:freedesktop:libice:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2019/07/14/3
http://www.securityfocus.com/bid/96480	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1037919	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:1865	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2626	Issue Tracking Patch Third Party Advisory
https://cgit.freedesktop.org/xorg/lib/libICE/commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b	Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/11/msg00022.html
https://security.gentoo.org/glsa/201704-03	Third Party Advisory
https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/	Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2018-07-27T19:00:00

Updated: 2019-11-23T23:07:01

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2626

JSON object: View

NVD Information

Status : Modified

Published: 2018-07-27T19:29:00.377

Modified: 2023-02-12T23:29:20.417

Link: CVE-2017-2626

JSON object: View

Redhat Information

No data.

CWE

CWE-331

{"containers": {"cna": {"affected": [{"product": "libICE", "vendor": "Xorg", "versions": [{"status": "affected", "version": "1.0.9-8"}]}], "datePublic": "2017-02-28T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-331", "description": "CWE-331", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-11-23T23:07:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cgit.freedesktop.org/xorg/lib/libICE/commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b"}, {"name": "GLSA-201704-03", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201704-03"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2626"}, {"name": "RHSA-2017:1865", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1865"}, {"name": "1037919", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037919"}, {"name": "96480", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96480"}, {"tags": ["x_refsource_MISC"], "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/"}, {"name": "[oss-security] 20190714 Fwd: [ANNOUNCE] libICE 1.0.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/07/14/3"}, {"name": "[debian-lts-announce] 20191123 [SECURITY] [DLA 2002-1] libice security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00022.html"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-2626", "datePublished": "2018-07-27T19:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2019-11-23T23:07:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freedesktop:libice:*:*:*:*:*:*:*:*", "matchCriteriaId": "432B67E9-224C-474E-8BEB-F0422AA2FF0F", "versionEndIncluding": "1.0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "D99A687E-EAE6-417E-A88E-D0082BC194CD", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list."}, {"lang": "es", "value": "Se ha descubierto que libICE en versiones anteriores a la 1.0.9-8 usaba una entrop\u00eda d\u00e9bil para generar claves. Un atacante local podr\u00eda utilizar este fallo para secuestrar sesiones utilizando la informaci\u00f3n disponible en la lista de procesos."}], "id": "CVE-2017-2626", "lastModified": "2023-02-12T23:29:20.417", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.0, "impactScore": 2.7, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-07-27T19:29:00.377", "references": [{"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2019/07/14/3"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96480"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1037919"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1865"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2626"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://cgit.freedesktop.org/xorg/lib/libICE/commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00022.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201704-03"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-331"}], "source": "nvd@nist.gov", "type": "Secondary"}]}