CVE-2017-2624

Exploit

EPSS 0.11%
Veröffentlicht 27.07.2018 18:29:00
Zuletzt bearbeitet 29.08.2025 13:42:30
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

X.Org ≫ X Server Version <= 1.19.4

Debian ≫ Debian Linux Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.3

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7	1	5.9	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	1.9	3.4	2.9	AV:L/AC:M/Au:N/C:P/I:N/A:N
secalert@redhat.com	5.9	1.4	4	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-385 Covert Timing Channel

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

https://security.gentoo.org/glsa/201710-30

Third Party Advisory

https://security.gentoo.org/glsa/201704-03

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html

Third Party Advisory

http://www.securityfocus.com/bid/96480

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1037919

Third Party Advisory

VDB Entry