Vulnerability Details : CVE-2017-11671
Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
Products affected by CVE-2017-11671
- cpe:2.3:a:gnu:gcc:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:4.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:4.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:4.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gcc:5.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-11671
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-11671
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
4.0
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
2.5
|
1.4
|
NIST |
CWE ids for CVE-2017-11671
-
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-11671
-
https://access.redhat.com/errata/RHSA-2018:0849
RHSA-2018:0849 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/100018
GNU GCC CVE-2017-11671 Insecure Random Number Generator WeaknessThird Party Advisory;VDB Entry
-
http://openwall.com/lists/oss-security/2017/07/27/2
oss-security - CVE-2017-11671: GCC generates incorrect code for RDRAND/RDSEED intrinsicsMailing List;Third Party Advisory
-
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180
80180 – (CVE-2017-11671) Incorrect codegen from rdseed intrinsic use (CVE-2017-11671)Issue Tracking;Vendor Advisory
-
https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html
Uros Bizjak - [PATCH, i386]: Fix PR 80180, Incorrect codegen from rdseed intrinsic useMailing List
Jump to