CVE-2020-16166: Infoleak
First published: Wed Jul 29 2020(Updated: )
A flaw was found in the Linux kernel. The generation of the device ID from the network RNG internal state is predictable. The highest threat from this vulnerability is to data confidentiality.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-alt | <0:4.14.0-115.32.1.el7a | 0:4.14.0-115.32.1.el7a |
| redhat/kernel-rt | <0:4.18.0-240.8.1.rt7.62.el8_3 | 0:4.18.0-240.8.1.rt7.62.el8_3 |
| redhat/kernel | <0:4.18.0-240.8.1.el8_3 | 0:4.18.0-240.8.1.el8_3 |
| redhat/kernel | <0:4.18.0-147.38.1.el8_1 | 0:4.18.0-147.38.1.el8_1 |
| redhat/kernel-rt | <0:4.18.0-193.37.1.rt13.87.el8_2 | 0:4.18.0-193.37.1.rt13.87.el8_2 |
| redhat/kernel | <0:4.18.0-193.37.1.el8_2 | 0:4.18.0-193.37.1.el8_2 |
| Linux Kernel | <=5.7.11 | |
| openSUSE | =15.1 | |
| openSUSE | =15.2 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Debian GNU/Linux | =9.0 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 | |
| NetApp Active IQ Unified Manager for VMware vSphere | >=9.5 | |
| netapp cloud volumes ontap mediator | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.60.3 | |
| netapp hci bootstrap os | ||
| netapp hci management node | ||
| netapp solidfire | ||
| NetApp SteelStore | ||
| netapp storagegrid | <=9.0.4 | |
| All of | ||
| netapp h410c firmware | ||
| netapp h410c | ||
| Oracle SD-WAN Edge | =8.2 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 | |
| Fedora | =31 | |
| Fedora | =32 | |
| Debian | =9.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =20.04 | |
| netapp h410c firmware | ||
| netapp h410c |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-16166 https://nvd.nist.gov/vuln/detail/CVE-2020-16166
- https://bugzilla.redhat.com/show_bug.cgi?id=1865751
- https://access.redhat.com/errata/RHSA-2020:4279
- https://access.redhat.com/errata/RHSA-2020:5506
- https://access.redhat.com/errata/RHSA-2020:5473
- https://access.redhat.com/errata/RHSA-2021:0184
- https://access.redhat.com/errata/RHSA-2020:5428
- https://access.redhat.com/errata/RHSA-2020:5418
- https://access.redhat.com/security/cve/cve-2020-16166
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f227e3ec3b5cad859ad15666874405e8c1bbc1d4
- https://github.com/torvalds/linux/commit/f227e3ec3b5cad859ad15666874405e8c1bbc1d4
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MFBCLQWJI5I4G25TVJNLXLAXJ4MERQNW/
- https://security.netapp.com/advisory/ntap-20200814-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAPTLPAEKVAJYJ4LHN7VH4CN2W75R2YW/
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00047.html
- https://usn.ubuntu.com/4525-1/
- https://usn.ubuntu.com/4526-1/
- https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html
- https://arxiv.org/pdf/2012.07432.pdf
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c51f8f88d705e06bd696d7510aff22b33eb8e638
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://launchpad.net/bugs/cve/CVE-2020-16166
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1865752
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAPTLPAEKVAJYJ4LHN7VH4CN2W75R2YW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MFBCLQWJI5I4G25TVJNLXLAXJ4MERQNW/
- https://git.kernel.org/linus/f227e3ec3b5cad859ad15666874405e8c1bbc1d4
- https://security-tracker.debian.org/tracker/CVE-2020-16166
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16166
- https://nvd.nist.gov/vuln/detail/CVE-2020-16166
- https://ubuntu.com/security/CVE-2020-16166
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2020-16166?
CVE-2020-16166 is classified as having a high severity level due to its potential impact on data confidentiality.
Which systems are affected by CVE-2020-16166?
CVE-2020-16166 affects multiple versions of the Linux kernel and various distributions including Red Hat, OpenSUSE, Fedora, and Debian.
How do I fix CVE-2020-16166?
To mitigate CVE-2020-16166, update to the latest patched versions of the affected Linux kernel packages as specified by your distribution.
How does CVE-2020-16166 impact data confidentiality?
CVE-2020-16166 can lead to predictable device IDs from the network RNG, posing a risk to data confidentiality.
What are the specific kernel versions that address CVE-2020-16166?
The fixed versions for the Linux kernel addressing CVE-2020-16166 include 4.14.0-115.32.1.el7a, 4.18.0-240.8.1.el8_3, among others, depending on the distribution.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-16166
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/remedy
- agent/last-modified-date
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.7.11
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- version/opensuse/15.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04
- vendor/netapp
- canonical/netapp active iq unified manager for vmware vsphere
- version/netapp active iq unified manager for vmware vsphere/9.5
- canonical/netapp cloud volumes ontap mediator
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.60.3
- canonical/netapp hci bootstrap os
- canonical/netapp hci management node
- canonical/netapp solidfire
- canonical/netapp steelstore
- canonical/netapp storagegrid
- version/netapp storagegrid/9.0.4
- canonical/netapp h410c firmware
- canonical/netapp h410c
- vendor/oracle
- canonical/oracle sd-wan edge
- version/oracle sd-wan edge/8.2
- package-manager/debian
- canonical/fedora
- version/fedora/31
- version/fedora/32
- canonical/debian
- version/debian/9.0
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/20.04