| Vulnerability Name: | CVE-2014-7284 (CCN-96837) | ||||||||||||
| Assigned: | 2014-10-01 | ||||||||||||
| Published: | 2014-10-01 | ||||||||||||
| Updated: | 2014-10-15 | ||||||||||||
| Summary: | The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values. | ||||||||||||
| CVSS v3 Severity: | 4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||||||
| CVSS v2 Severity: | 6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P) 4.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P/E:U/RL:OF/RC:C)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||||||
| Vulnerability Type: | CWE-200 | ||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2014-7284 Source: CONFIRM Type: Exploit http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d4405226d27b3a215e4d03cfa51f536244e5de7 Source: CCN Type: oss-security Mailing List, Wed, 1 Oct 2014 23:29:07 -0400 (EDT) Re: CVE Request: linux kernel net_get_random_once bug Source: CONFIRM Type: UNKNOWN http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.5 Source: MLIST Type: UNKNOWN [oss-security] 20141001 CVE Request: linux kernel net_get_random_once bug Source: CCN Type: BID-70209 Linux Kernel 'net_get_random_once' Local Information Disclosure Vulnerability Source: CCN Type: Red Hat Bugzilla Bug 1148788 (CVE-2014-7284) CVE-2014-7284 kernel: randomness degradation due to bug in net_get_random_once() Source: CONFIRM Type: UNKNOWN https://bugzilla.redhat.com/show_bug.cgi?id=1148788 Source: XF Type: UNKNOWN linux-kernel-cve20147284-info-disc(96837) Source: CCN Type: Linux Kernel GIT Repository net: avoid dependency of net_get_random_once on nop patching Source: CONFIRM Type: Exploit https://github.com/torvalds/linux/commit/3d4405226d27b3a215e4d03cfa51f536244e5de7 Source: MISC Type: Exploit https://web.archive.org/web/20141002163852/http://secondlookforensics.com/ngro-linux-kernel-bug/ Source: CCN Type: WhiteSource Vulnerability Database CVE-2014-7284 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||