CVE-2017-2624
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/07/2018
Last modified:
29/08/2025
Description
It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Base Score 2.0
1.90
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:* | 1.19.4 (including) | |
| cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.securityfocus.com/bid/96480
- http://www.securitytracker.com/id/1037919
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2624
- https://gitlab.freedesktop.org/xorg/xserver/commit/d7ac755f0b618eb1259d93c8a16ec6e39a18627c
- https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html
- https://security.gentoo.org/glsa/201704-03
- https://security.gentoo.org/glsa/201710-30
- https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
- http://www.securityfocus.com/bid/96480
- http://www.securitytracker.com/id/1037919
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2624
- https://gitlab.freedesktop.org/xorg/xserver/commit/d7ac755f0b618eb1259d93c8a16ec6e39a18627c
- https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html
- https://security.gentoo.org/glsa/201704-03
- https://security.gentoo.org/glsa/201710-30
- https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/