CVE-2017-2626 — Insufficient Entropy in Libice

CWE-331 — Insufficient Entropy9 documents8 sources

Severity

5.5MEDIUMNVD

CNA5.2

EPSS

0.1%

top 73.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Libice Xorg Libice Redhat Enterprise Linux Desktop +4 more

Timeline

PublishedJul 27

Latest updateNov 28

Description

It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶NVDfreedesktop/libice1.0.9

▶CVEListV5xorg/libice1.0.9-8

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Enterprise Linux 7.4, 7.5

Patches

Patch: bugzilla.redhat.com ↗Patch: cgit.freedesktop.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-jqp9-hwjj-p328: It was discovered that libICE before 1↗2022-05-14

▶

CVEList

CVE-2017-2626: It was discovered that libICE before 1↗2018-07-27

▶

OSV

CVE-2017-2626: It was discovered that libICE before 1↗2018-07-27

▶

📋Vendor Advisories

Ubuntu

libICE vulnerability↗2022-11-28

▶

Red Hat

libICE: weak entropy usage in session keys↗2017-02-28

▶

Debian

CVE-2017-2626: libice - It was discovered that libICE before 1.0.9-8 used a weak entropy to generate key...↗2017

▶

💬Community

Bugzilla

CVE-2017-2626 libICE: weak entropy usage in session keys [fedora-all]↗2017-03-01

▶

Bugzilla

CVE-2017-2626 libICE: weak entropy usage in session keys↗2017-02-20

▶