#VU95686 Use of insufficiently random values in Linux kernel - CVE-2020-16166


| Updated: 2022-04-26

Vulnerability identifier: #VU95686

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-16166

CWE-ID: CWE-330

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to use of insufficiently random values error within the prandom_state_selftest() function in lib/random32.c, within the update_process_times() function in kernel/time/timer.c, within the add_interrupt_randomness() function in drivers/char/random.c. A remote non-authenticated attacker can gain access to sensitive information.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f227e3ec3b5cad859ad15666874405e8c1bbc1d4
https://github.com/torvalds/linux/commit/f227e3ec3b5cad859ad15666874405e8c1bbc1d4
https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MFBCLQWJI5I4G25TVJNLXLAXJ4MERQNW/
https://security.netapp.com/advisory/ntap-20200814-0004/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAPTLPAEKVAJYJ4LHN7VH4CN2W75R2YW/
https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00047.html
https://usn.ubuntu.com/4526-1/
https://usn.ubuntu.com/4525-1/
https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html
https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html
https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html
https://arxiv.org/pdf/2012.07432.pdf
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c51f8f88d705e06bd696d7510aff22b33eb8e638
https://www.oracle.com/security-alerts/cpuApr2021.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for kernel(ANCK)4.19
Anolis OS update for kernel(ANCK)4.19
Multiple vulnerabilities in OpenShift Virtualization 2.5
Red Hat Enterprise Linux 8 update for kernel
Red Hat Enterprise Linux 8 update for kernel-rt
Red Hat Enterprise Linux 8 update for kernel-rt
Red Hat Enterprise Linux 8 update for kernel
Red Hat Enterprise Linux 8 update for kernel
Slackware Linux update for kernel
Red Hat Enterprise Linux 7 update for kernel-alt