Use of cryptographically weak PRNG in Gnu Compiler Collection - CVE-2017-11671
Published: April 27, 2018
Vulnerability identifier: #VU12267
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-11671
CWE-ID: CWE-338
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GNU
Affected software:
Gnu Compiler Collection
Gnu Compiler Collection
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the ix86_expand_builtin function in i386.c due to generating of instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. A remote attacker can trigger less randomness in random number generation and gain access to potentially sensitive information.
The weakness exists in the ix86_expand_builtin function in i386.c due to generating of instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. A remote attacker can trigger less randomness in random number generation and gain access to potentially sensitive information.
How to mitigate CVE-2017-11671
Update to versions 5.5 or 6.4.