CVE-2017-11671: Weak RNG
First published: Wed Jul 26 2017(Updated: )
Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/gcc | <5.5 | 5.5 |
| redhat/gcc | <6.4 | 6.4 |
| GNU Compiler Collection (GCC) | =4.6 | |
| GNU Compiler Collection (GCC) | =4.7 | |
| GNU Compiler Collection (GCC) | =4.8 | |
| GNU Compiler Collection (GCC) | =4.9 | |
| GNU Compiler Collection (GCC) | =5.0 | |
| GNU Compiler Collection (GCC) | =5.1 | |
| GNU Compiler Collection (GCC) | =5.2 | |
| GNU Compiler Collection (GCC) | =5.3 | |
| GNU Compiler Collection (GCC) | =5.4 | |
| GNU Compiler Collection (GCC) | =6.0 | |
| GNU Compiler Collection (GCC) | =6.1 | |
| GNU Compiler Collection (GCC) | =6.2 | |
| GNU Compiler Collection (GCC) | =6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://openwall.com/lists/oss-security/2017/07/27/2
- http://www.securityfocus.com/bid/100018
- https://access.redhat.com/errata/RHSA-2018:0849
- https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180
- https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html
- http://seclists.org/oss-sec/2017/q3/218
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1475735
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1475736
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1475737
- https://bugzilla.redhat.com/show_bug.cgi?id=1475733
Frequently Asked Questions
What is the severity of CVE-2017-11671?
CVE-2017-11671 is considered a high severity vulnerability due to its potential impact on the integrity of random number generation.
How do I fix CVE-2017-11671?
To fix CVE-2017-11671, update your GCC version to 5.5 or 6.4 or later.
What is affected by CVE-2017-11671?
CVE-2017-11671 affects GNU Compiler Collection (GCC) versions 4.6 through 6.3.
Can CVE-2017-11671 lead to exploitation?
Yes, CVE-2017-11671 may lead to exploitation by allowing an attacker to predict values from random number generation.
Is CVE-2017-11671 a local or remote vulnerability?
CVE-2017-11671 is primarily considered a local vulnerability impacting applications running with GCC compilers.
- agent/type
- agent/softwarecombine
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-11671
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/gnu
- canonical/gnu compiler collection (gcc)
- version/gnu compiler collection (gcc)/4.6
- version/gnu compiler collection (gcc)/4.7
- version/gnu compiler collection (gcc)/4.8
- version/gnu compiler collection (gcc)/4.9
- version/gnu compiler collection (gcc)/5.0
- version/gnu compiler collection (gcc)/5.1
- version/gnu compiler collection (gcc)/5.2
- version/gnu compiler collection (gcc)/5.3
- version/gnu compiler collection (gcc)/5.4
- version/gnu compiler collection (gcc)/6.0
- version/gnu compiler collection (gcc)/6.1
- version/gnu compiler collection (gcc)/6.2
- version/gnu compiler collection (gcc)/6.3