Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2017-2625

Insufficient Entropy

Published: Jul 27, 2018 | Modified: Nov 21, 2024
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
2.1 LOW
AV:L/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Ubuntu
LOW
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2017-2625
CWEhttps://cwe.mitre.org/data/definitions/331.html

It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users sessions.

Weakness

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Affected Software

NameVendorStart VersionEnd Version
LibxdmcpX.org*1.1.2 (excluding)
Red Hat Enterprise Linux 7RedHatlibdrm-0:2.4.74-1.el7*
Red Hat Enterprise Linux 7RedHatlibepoxy-0:1.3.1-1.el7*
Red Hat Enterprise Linux 7RedHatlibevdev-0:1.5.6-1.el7*
Red Hat Enterprise Linux 7RedHatlibfontenc-0:1.1.3-3.el7*
Red Hat Enterprise Linux 7RedHatlibICE-0:1.0.9-9.el7*
Red Hat Enterprise Linux 7RedHatlibinput-0:1.6.3-2.el7*
Red Hat Enterprise Linux 7RedHatlibvdpau-0:1.1.1-3.el7*
Red Hat Enterprise Linux 7RedHatlibwacom-0:0.24-1.el7*
Red Hat Enterprise Linux 7RedHatlibX11-0:1.6.5-1.el7*
Red Hat Enterprise Linux 7RedHatlibXaw-0:1.0.13-4.el7*
Red Hat Enterprise Linux 7RedHatlibxcb-0:1.12-1.el7*
Red Hat Enterprise Linux 7RedHatlibXcursor-0:1.1.14-8.el7*
Red Hat Enterprise Linux 7RedHatlibXdmcp-0:1.1.2-6.el7*
Red Hat Enterprise Linux 7RedHatlibXfixes-0:5.0.3-1.el7*
Red Hat Enterprise Linux 7RedHatlibXfont-0:1.5.2-1.el7*
Red Hat Enterprise Linux 7RedHatlibXfont2-0:2.0.1-2.el7*
Red Hat Enterprise Linux 7RedHatlibXi-0:1.7.9-1.el7*
Red Hat Enterprise Linux 7RedHatlibxkbcommon-0:0.7.1-1.el7*
Red Hat Enterprise Linux 7RedHatlibxkbfile-0:1.0.9-3.el7*
Red Hat Enterprise Linux 7RedHatlibXpm-0:3.5.12-1.el7*
Red Hat Enterprise Linux 7RedHatlibXrandr-0:1.5.1-2.el7*
Red Hat Enterprise Linux 7RedHatlibXrender-0:0.9.10-1.el7*
Red Hat Enterprise Linux 7RedHatlibXt-0:1.1.5-3.el7*
Red Hat Enterprise Linux 7RedHatlibXtst-0:1.2.3-1.el7*
Red Hat Enterprise Linux 7RedHatlibXv-0:1.0.11-1.el7*
Red Hat Enterprise Linux 7RedHatlibXvMC-0:1.0.10-1.el7*
Red Hat Enterprise Linux 7RedHatlibXxf86vm-0:1.1.4-1.el7*
Red Hat Enterprise Linux 7RedHatmesa-0:17.0.1-6.20170307.el7*
Red Hat Enterprise Linux 7RedHatmesa-private-llvm-0:3.9.1-3.el7*
Red Hat Enterprise Linux 7RedHatvulkan-0:1.0.39.1-2.el7*
Red Hat Enterprise Linux 7RedHatxcb-proto-0:1.12-2.el7*
Red Hat Enterprise Linux 7RedHatxkeyboard-config-0:2.20-1.el7*
Red Hat Enterprise Linux 7RedHatxorg-x11-proto-devel-0:7.7-20.el7*
LibxdmcpUbuntuartful*
LibxdmcpUbuntubionic*
LibxdmcpUbuntucosmic*
LibxdmcpUbuntudevel*
LibxdmcpUbuntudisco*
LibxdmcpUbuntueoan*
LibxdmcpUbuntuesm-infra-legacy/trusty*
LibxdmcpUbuntuesm-infra/bionic*
LibxdmcpUbuntuesm-infra/focal*
LibxdmcpUbuntuesm-infra/xenial*
LibxdmcpUbuntufocal*
LibxdmcpUbuntugroovy*
LibxdmcpUbuntuhirsute*
LibxdmcpUbuntuimpish*
LibxdmcpUbuntujammy*
LibxdmcpUbuntukinetic*
LibxdmcpUbuntuprecise*
LibxdmcpUbuntuprecise/esm*
LibxdmcpUbuntutrusty*
LibxdmcpUbuntutrusty/esm*
LibxdmcpUbuntuupstream*
LibxdmcpUbuntuvivid/stable-phone-overlay*
LibxdmcpUbuntuxenial*
LibxdmcpUbuntuyakkety*
LibxdmcpUbuntuzesty*

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use