Home > Vulnerability Database > CVE-2017-2624

Mend.io Vulnerability Database

CVE-2017-2624

Date: July 27, 2018

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

Severity Score

7.0

Related Resources (12)

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-2624

Url: https://security.gentoo.org/glsa/201710-30

Url: https://security.gentoo.org/glsa/201704-03

Url: https://gitlab.freedesktop.org/xorg/xserver/commit/d7ac755f0b618eb1259d93c8a16ec6e39a18627c

Url: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/

Url: http://www.securityfocus.com/bid/96480

Url: http://www.securitytracker.com/id/1037919

Url: https://access.redhat.com/security/cve/CVE-2017-2624

Url: https://security-tracker.debian.org/tracker/CVE-2017-2624

Url: https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html

Url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2624

Url: https://www.mend.io/vulnerability-database/CVE-2017-2624

Severity Score

7.0

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

CVSS v3.1

Base Score:	7.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	1.9
Access Vector (AV):	LOCAL
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-2624

Date: July 27, 2018

Severity Score

Related Resources (12)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?