Use of insufficiently random values in Linux kernel - CVE-2020-25705
Published: November 17, 2020 / Updated: August 15, 2021
Vulnerability identifier: #VU49150
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2020-25705
CWE-ID: CWE-330
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information.
A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
How to mitigate CVE-2020-25705
Install updates from vendor's website.