CVE-2017-2626medium
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list.
References
http://www.openwall.com/lists/oss-security/2019/07/14/3
http://www.securityfocus.com/bid/96480
http://www.securitytracker.com/id/1037919
https://access.redhat.com/errata/RHSA-2017:1865
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2626
https://cgit.freedesktop.org/xorg/lib/libICE/commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b
Details
Source: MITRE
Published: 2018-07-27
Updated: 2019-07-14
Type: CWE-331
Risk Information
CVSS v2
Base Score: 2.1
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N
Impact Score: 2.9
Exploitability Score: 3.9
Severity: LOW
CVSS v3
Base Score: 5.5
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 1.8
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:freedesktop:libice:*:*:*:*:*:*:*:* versions up to 1.0.9 (inclusive)
Configuration 2
OR
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 140940 | EulerOS Virtualization for ARM 64 3.0.6.0 : libICE (EulerOS-SA-2020-1992) | Nessus | Huawei Local Security Checks | medium |
| 131247 | Debian DLA-2002-1 : libice security update | Nessus | Debian Local Security Checks | medium |
| 106578 | SUSE SLED12 / SLES12 Security Update : libICE (SUSE-SU-2018:0337-1) | Nessus | SuSE Local Security Checks | medium |
| 103070 | EulerOS 2.0 SP2 : libXpm, libXdmcp, libICE (EulerOS-SA-2017-1212) | Nessus | Huawei Local Security Checks | critical |
| 103069 | EulerOS 2.0 SP1 : libXpm, libXdmcp, libICE (EulerOS-SA-2017-1211) | Nessus | Huawei Local Security Checks | critical |
| 102740 | CentOS 7 : libICE / libX11 / libXaw / libXcursor / libXdmcp / libXfixes / libXfont / libXfont2 / etc (CESA-2017:1865) | Nessus | CentOS Local Security Checks | critical |
| 102636 | Scientific Linux Security Update : X.org X11 libraries on SL7.x x86_64 (20170801) | Nessus | Scientific Linux Local Security Checks | critical |
| 102340 | Oracle Linux 7 : X.org / X11 / libraries (ELSA-2017-1865) | Nessus | Oracle Linux Local Security Checks | critical |
| 102147 | RHEL 7 : X.org X11 libraries (RHSA-2017:1865) | Nessus | Red Hat Local Security Checks | critical |
| 101664 | Fedora 26 : libICE (2017-7ac378e011) | Nessus | Fedora Local Security Checks | medium |
| 101519 | SUSE SLES11 Security Update : xorg-x11-libICE (SUSE-SU-2017:1848-1) | Nessus | SuSE Local Security Checks | medium |
| 101390 | SUSE SLED12 / SLES12 Security Update : libICE (SUSE-SU-2017:1835-1) | Nessus | SuSE Local Security Checks | medium |
| 101281 | openSUSE Security Update : libICE (openSUSE-2017-784) | Nessus | SuSE Local Security Checks | medium |
| 99276 | GLSA-201704-03 : X.Org: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | critical |
| 97540 | Fedora 24 : libICE (2017-d068b54614) | Nessus | Fedora Local Security Checks | medium |
| 97539 | Fedora 25 : libICE (2017-c02eb668a7) | Nessus | Fedora Local Security Checks | medium |