CVE-2019-1010025

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendors position is ASLR bypass itself is not a vulnerability.

Weakness

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Affected Software

Potential Mitigations

• Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
• In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
• Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a “random enough” number.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/112.html
• https://cwe.mitre.org/data/definitions/485.html
• https://cwe.mitre.org/data/definitions/59.html

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010025
• https://sourceware.org/bugzilla/show_bug.cgi?id=22853
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS
• https://ubuntu.com/security/CVE-2019-1010025