Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Gnu Compiler Collection - CVE-2019-15847

 

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Gnu Compiler Collection - CVE-2019-15847

Published: May 26, 2020


Vulnerability identifier: #VU28259
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-15847
CWE-ID: CWE-338
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: GNU
Affected software:
Gnu Compiler Collection

Detailed vulnerability description

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to the POWER9 backend in GNU Compiler Collection (GCC) can optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This vulnerability may weaken security features that rely on random number generator.


How to mitigate CVE-2019-15847

Install updates from vendor's website.

Sources