util-linux mcookie utility generates predictable cookies
| utillinux-mcookie-cookie-predictable (11318) |  Low Risk |
Description:
The util-linux package, included with multiple Linux distributions uses the /dev/urandom device instead of the /dev/random device, which results in the generation of predictable cookies by the mcookie utility.
Platforms Affected:
- MandrakeSoft, Mandrake Linux 8.2
- MandrakeSoft, Mandrake Linux 9.0
Remedy:
For Mandrake Linux:
Upgrade to the latest util-linux package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:016: util-linux for more information. See References.
Mandrake Linux 8.2: 2.11n-4.4mdk or later
Mandrake Linux 9.0: 2.11u-1.1mdk or later
Consequences:
Other
References:
- BID-6855: Util-Linux mcookie Cookie Generation Weakness
- CVE-2003-0094: A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed.
- MDKSA-2003:016: Updated util-linux packages provide stronger randomness in mcookie
- MDKSA-2003:024: Updated packages fix multiple vulnerabilities
Reported:
Feb 13, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net