Information disclosure in Debian Linux - CVE-2017-2624
Published: July 27, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU36813
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-2624
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Debian
Affected software:
Debian Linux
Debian Linux
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.
How to mitigate CVE-2017-2624
Install update from vendor's website.
Sources
- http://www.securityfocus.com/bid/96480
- http://www.securitytracker.com/id/1037919
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2624
- https://gitlab.freedesktop.org/xorg/xserver/commit/d7ac755f0b618eb1259d93c8a16ec6e39a18627c
- https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html
- https://security.gentoo.org/glsa/201704-03
- https://security.gentoo.org/glsa/201710-30
- https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/