Information disclosure in Gnu Compiler Collection
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-11671 |
| CWE-ID | CWE-338 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Gnu Compiler Collection Client/Desktop applications / Software for system administration |
| Vendor | GNU |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Use of cryptographically weak PRNG
EUVDB-ID: #VU12267
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11671
CWE-ID:
CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the ix86_expand_builtin function in i386.c due to generating of instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. A remote attacker can trigger less randomness in random number generation and gain access to potentially sensitive information.
Update to versions 5.5 or 6.4.
Vulnerable software versionsGnu Compiler Collection: 4.6.0 - 6.3.0
CPE2.3- cpe:2.3:a:gnu:gcc:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:4.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:4.8.0:*:*:*:*:*:*:*
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
