Bugzilla – Full Text Bug Listing |
Summary: | VUL-0: CVE-2017-2625: libXdmcp: Weak entropy usage for session keys in libxdm | ||
---|---|---|---|
Product: | [Novell Products] SUSE Security Incidents | Reporter: | Matthias Gerstner <matthias.gerstner> |
Component: | Incidents | Assignee: | Security Team bot <security-team> |
Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
Severity: | Normal | ||
Priority: | P3 - Medium | CC: | abergmann, krahmer, matthias.gerstner, meissner, sndirsch |
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Other | ||
Whiteboard: | CVSSv2:SUSE:CVE-2017-2625:4.9:(AV:L/AC:L/Au:N/C:C/I:N/A:N) maint:released:sle10-sp3:63742 | ||
Found By: | --- | Services Priority: | |
Business Priority: | Blocker: | --- | |
Marketing QA Status: | --- | IT Deployment: | --- |
Bug Depends on: | |||
Bug Blocks: | 1025639 | ||
Attachments: | X41-2017-001.txt |
Description
Matthias Gerstner
2017-02-13 16:32:48 UTC
Our codestreams don't even have that #else branch. Code is found in: SUSE:SLE-10-SP3:Update/xorg-x11/xc/lib/Xdmcp/GenKey.c SUSE:SLE-11:Update/xorg-x11-libXdmcp/libXdmcp-1.0.2/GenKey.c SUSE:SLE-12:Update/libXdmcp/libXdmcp-1.1.1/Key.c I guess we can consider all codestreams as affected. There is no final patch available yet. In worst case we can read some sensible random data from /dev/?random. bugbot adjusting priority now public Created attachment 715739 [details]
X41-2017-001.txt
Weak entropy usage for session keys in libxdm
=============================================
Vulnerability Type: Other
Affected Products: libXdmcp
Attack Type: Local
Impact: Escalation of Privileges
Severity Rating: medium
Confirmed Affected Version: 1.1.2 and lower
Confirmed Patched Version:
Vector: local
CVE: CVE-2017-2625
CVSS Score: 7.1
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary and Impact
------------------
To further explore the auth mechanism libXdmcp-1.1.2 was checked as well.
XDM uses weak entropy to generate the session keys on non BSD systems:
void
XdmcpGenerateKey (XdmAuthKeyPtr key)
{
#ifndef HAVE_ARC4RANDOM_BUF
long lowbits, highbits;
srandom ((int)getpid() ^ time((Time_t *)0));
lowbits = random ();
highbits = random ();
getbits (lowbits, key->data);
getbits (highbits, key->data + 4);
#else
arc4random_buf(key->data, 8);
#endif
}
On multi user systems it might possible to check the PID of the process
and how long it is running to get an estimate of these values, which
could allow an attacker to attach to the session of a different user.
Several checked Linux distributions (debian testing, archlinux and
Ubuntu) did not link against libbsd at the time this was found.
Workaround
----------
Compile against libbsd
Seems the issue has meanwhile been addressed via git commits 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f 6d1aee0310001eca8f6ded9814a2a70b3a774896 in libXdmcp. getentropy() needs glibc 2.25, which is currently only provided by factory. Leap 42.2/42.3 doesn't fullfill this requirement, let alone sle12, sle11, sle10. arc4random_buf() needs libbsd. Do we really want to add this requirement for the Leap products (42.2/42.3)? On sle12, sle11, sle10 we apparently ship no libbsd. Matthias? Marcus? Factory done: SR#502911 This is an autogenerated message for OBS integration: This bug (1025046) was mentioned in https://build.opensuse.org/request/show/502911 Factory / libXdmcp matthias has a suggestion in the other bug. sorry for not having time earlier for this Before adding replacements for getentropy() git commits 6d1aee0310001eca8f6ded9814a2a70b3a774896 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f 9f4cac7656b221ce2a8f97e7bd31e5e23126d001 needs to be added for Leap 42.2 and older. fixed and submitrequested for Leap 42.2 and older (sle12, sle11 and sle10). Sorry! Reopen. Reassigning to security team instead! This is an autogenerated message for OBS integration: This bug (1025046) was mentioned in https://build.opensuse.org/request/show/506829 42.2 / libXdmcp An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-07-17. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63741 openSUSE-SU-2017:1802-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1025046 CVE References: CVE-2017-2625 Sources used: openSUSE Leap 42.2 (src): libXdmcp-1.1.2-3.3.1 *** Bug 815650 has been marked as a duplicate of this bug. *** SUSE-SU-2017:1862-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1025046 CVE References: CVE-2017-2625 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libXdmcp-1.1.1-10.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libXdmcp-1.1.1-10.1 SUSE Linux Enterprise Server 12-SP2 (src): libXdmcp-1.1.1-10.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libXdmcp-1.1.1-10.1 SUSE-SU-2017:1868-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1025046 CVE References: CVE-2017-2625 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xorg-x11-libXdmcp-7.4-3.1 SUSE Linux Enterprise Server 11-SP4 (src): xorg-x11-libXdmcp-7.4-3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xorg-x11-libXdmcp-7.4-3.1 released SUSE-SU-2018:0338-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1025046 CVE References: CVE-2017-2625 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libXdmcp-1.1.1-12.1 SUSE Linux Enterprise Server 12-SP3 (src): libXdmcp-1.1.1-12.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libXdmcp-1.1.1-12.1 |