Ubuntu update for gcc-5
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-11671 |
| CWE-ID | CWE-338 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system gdc-5 (Ubuntu package) Operating systems & Components / Operating system package or component gcj-5 (Ubuntu package) Operating systems & Components / Operating system package or component g++-5 (Ubuntu package) Operating systems & Components / Operating system package or component gfortran-5 (Ubuntu package) Operating systems & Components / Operating system package or component gcj-5-jre-headless (Ubuntu package) Operating systems & Components / Operating system package or component gccgo-5 (Ubuntu package) Operating systems & Components / Operating system package or component gccgo-6 (Ubuntu package) Operating systems & Components / Operating system package or component gcj-5-jdk (Ubuntu package) Operating systems & Components / Operating system package or component gcc-5 (Ubuntu package) Operating systems & Components / Operating system package or component gnat-5 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Use of cryptographically weak PRNG
EUVDB-ID: #VU12267
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11671
CWE-ID:
CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the ix86_expand_builtin function in i386.c due to generating of instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. A remote attacker can trigger less randomness in random number generation and gain access to potentially sensitive information.
Update the affected package gcc-5 to the latest version.
Vulnerable software versionsUbuntu: 16.04
gdc-5 (Ubuntu package): before Ubuntu Pro (Infra-only)
gcj-5 (Ubuntu package): before Ubuntu Pro (Infra-only)
g++-5 (Ubuntu package): before Ubuntu Pro (Infra-only)
gfortran-5 (Ubuntu package): before Ubuntu Pro (Infra-only)
gcj-5-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)
gccgo-5 (Ubuntu package): before Ubuntu Pro (Infra-only)
gccgo-6 (Ubuntu package): before Ubuntu Pro (Infra-only)
gcj-5-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)
gcc-5 (Ubuntu package): before Ubuntu Pro (Infra-only)
gnat-5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:gdc-5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:gcj-5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:g_plus_plus_-5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:gfortran-5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:gcj-5-jre-headless_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:gccgo-5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:gccgo-6_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:gcj-5-jdk_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:gcc-5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:gnat-5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5770-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
