Insufficient Entropy in libice (Alpine package)



Published: 2019-07-15
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-2626
CWE-ID CWE-331
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		libice (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Insufficient Entropy

EUVDB-ID: #VU32017

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2626

CWE-ID: CWE-331 - Insufficient Entropy

Exploit availability: No

Description

The vulnerability allows a local authenticated user to gain access to sensitive information.

It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libice (Alpine package): 1.0.9-r3

External links

http://git.alpinelinux.org/aports/commit/?id=b6f789a805e86dc6efd059d4323f0b1692e89a05
http://git.alpinelinux.org/aports/commit/?id=f729394d67c738875abb40ff3d1acfa2f1203476


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###