| Vulnerability Name: | CVE-2008-5162 (CCN-46825) | ||||||||
| Assigned: | 2008-11-24 | ||||||||
| Published: | 2008-11-24 | ||||||||
| Updated: | 2008-12-03 | ||||||||
| Summary: | The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does not have a proper entropy source for a short time period immediately after boot, which makes it easier for attackers to predict the function's return values and conduct certain attacks against the GEOM framework and various network protocols, related to the Yarrow random number generator. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C) 5.1 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-310 CWE-362 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2008-5162 Source: OSVDB Type: UNKNOWN 50137 Source: CCN Type: SA32871 FreeBSD "arc4random()" Insufficient Entropy Sources Security Issue Source: SECUNIA Type: UNKNOWN 32871 Source: CCN Type: FreeBSD-SA-08.11.arc4random arc4random(9) predictable sequence vulnerability Source: FREEBSD Type: Vendor Advisory FreeBSD-SA-08:11 Source: CCN Type: SECTRACK ID: 1021276 FreeBSD arc4random(9) Generates Predictable Sequences Source: SECTRACK Type: UNKNOWN 1021276 Source: CCN Type: OSVDB ID: 50137 FreeBSD arc4random() Function Entropy Source Weakness Source: BID Type: UNKNOWN 32447 Source: CCN Type: BID-32447 FreeBSD 'arc4random (9)' Pseudo-Random Number Generator Insufficient Entropy Weakness Source: XF Type: UNKNOWN freebsd-arc4random-weak-security(46825) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||