Veracode Vulnerability DatabaseVERACODE:12798Insecure Random Number Generator
4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
gcc is vulnerable to insecure random number generator attacks. The vulnerability exists under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
| CPE | Name | Operator | Version |
|---|---|---|---|
| gcc | eq | 4.8.5__11.el7 |
References
access.redhat.com/documentation/en-US/red_hat_enterprise_linux/7/html/7.5_release_notes/index.html
access.redhat.com/errata/RHSA-2018:0849
access.redhat.com/security/updates/classification/#low
bugzilla.redhat.com/show_bug.cgi?id=1465510
bugzilla.redhat.com/show_bug.cgi?id=1502794
bugzilla.redhat.com/show_bug.cgi?id=1508968
bugzilla.redhat.com/show_bug.cgi?id=1529981
Related
4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N