VDB
CVE-2017-2624
CVE-2017-2624
PUBLISHED
It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.
EPSS 0.05% · 14.7th percentile
Risk Scores
EPSS Score
0.05%
14.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | xorg-server-hwe-16.04 | 0, 2:1.18.4-1ubuntu6.1~16.04.1 |
| Ubuntu:14.04:LTS | xorg-server | 2:1.15.1-0ubuntu2.6, 2:1.14.3-3ubuntu3, 2:1.14.3-3ubuntu4 |
| Ubuntu:16.04:LTS | xorg-server | 0, 2:1.17.2-1ubuntu10, 2:1.17.3-2ubuntu1 |
| Ubuntu:14.04:LTS | xorg-server-lts-xenial | 2:1.18.3-1ubuntu2.2~trusty1, 2:1.18.3-1ubuntu2.2~trusty2, 2:1.18.3-1ubuntu2.2~trusty3 |
Timeline
- Mar 1, 2017 CVE Published
- Mar 2, 2017 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-2624 third-party-advisory
- https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ third-party-advisory
- http://openwall.com/lists/oss-security/2017/03/01/1 third-party-advisory
- https://ubuntu.com/security/notices/USN-3362-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-2624 third-party-advisory