Main Vulnerability Database SB2017032501

SB2017032501 - Information disclosure in Gnu Compiler Collection

Published: March 25, 2017

Security Bulletin ID SB2017032501

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of cryptographically weak PRNG (CVE-ID: CVE-2017-11671)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the ix86_expand_builtin function in i386.c due to generating of instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. A remote attacker can trigger less randomness in random number generation and gain access to potentially sensitive information.

Remediation

Install update from vendor's website.

References

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180