Predictable seed in pseudo-random number generator (prng) in Linux kernel - CVE-2007-2453
Published: June 12, 2007 / Updated: October 30, 2018
Vulnerability identifier: #VU95256
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2007-2453
CWE-ID: CWE-337
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to gain access to sensitive information.
The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, (1) does not properly seed pools when there is no entropy, or (2) uses an incorrect cast when extracting entropy, which might cause the random number generator to provide the same values after reboots on systems without an entropy source.
How to mitigate CVE-2007-2453
Install update from vendor's repository.
Sources
- http://marc.info/?l=linux-kernel&m=118128610219959&w=2
- http://marc.info/?l=linux-kernel&m=118128622431272&w=2
- http://osvdb.org/37114
- http://secunia.com/advisories/25596
- http://secunia.com/advisories/25700
- http://secunia.com/advisories/25961
- http://secunia.com/advisories/26133
- http://secunia.com/advisories/26139
- http://secunia.com/advisories/26450
- http://secunia.com/advisories/26620
- http://secunia.com/advisories/26664
- http://www.debian.org/security/2007/dsa-1356
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:171
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:196
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:216
- http://www.novell.com/linux/security/advisories/2007_43_kernel.html
- http://www.novell.com/linux/security/advisories/2007_51_kernel.html
- http://www.securityfocus.com/bid/24390
- http://www.securitytracker.com/id?1018248
- http://www.ubuntu.com/usn/usn-470-1
- http://www.ubuntu.com/usn/usn-486-1
- http://www.ubuntu.com/usn/usn-489-1
- http://www.vupen.com/english/advisories/2007/2105
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34781
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9960
- https://rhn.redhat.com/errata/RHSA-2007-0376.html