CVE-2017-2624 MEDIUM

CVE-2017-2624

Vendor Xorg
Product xorg-x11-server
Weakness CWE-385
Published July 27, 2018
Last update August 5, 2024

CVSS base score

5.9/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

Key dates

02Disclosure timeline

July 27, 2018 CVE published
August 5, 2024 Record updated