#VU12267 Use of cryptographically weak PRNG in Gnu Compiler Collection - CVE-2017-11671

Cybersecurity Help s.r.o.

Published: 2018-04-27

Vulnerability identifier: #VU12267

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-11671

CWE-ID: CWE-338

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Gnu Compiler Collection
Client/Desktop applications / Software for system administration

Vendor: GNU

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the ix86_expand_builtin function in i386.c due to generating of instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. A remote attacker can trigger less randomness in random number generation and gain access to potentially sensitive information.

Mitigation
Update to versions 5.5 or 6.4.

Vulnerable software versions

Gnu Compiler Collection: 4.6.0 - 6.3.0

External links
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

VMware Tanzu products update for GNU gcc

Ubuntu update for gcc-5

Red Hat update for gcc

Information disclosure in Gnu Compiler Collection