CVE-2009-3238 — MEDIUM (5.5)

Q: How severe is CVE-2009-3238?

CVE-2009-3238 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-3238?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Canonical Ubuntu Linux, Opensuse Opensuse, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server.

Vulnerability Description

The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	< 2.6.30
Canonical	Ubuntu Linux	6.06
Opensuse	Opensuse	11.0
Suse	Linux Enterprise Desktop	10
Suse	Linux Enterprise Server	10

Related Weaknesses (CWE)

CWE-338

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=Broken Link
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00005.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00005.htmlMailing List
http://patchwork.kernel.org/patch/21766/Broken LinkPatch
http://secunia.com/advisories/37105Broken Link
http://secunia.com/advisories/37351Broken Link
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30Broken LinkExploitVendor Advisory
http://www.redhat.com/support/errata/RHSA-2009-1438.htmlBroken Link
http://www.ubuntu.com/usn/USN-852-1Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=499785Issue TrackingPermissions Required
https://bugzilla.redhat.com/show_bug.cgi?id=519692Issue TrackingPermissions Required
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Broken Link
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeThird Party Advisory
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=Broken Link
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00005.htmlMailing List

FAQ

What is CVE-2009-3238?

CVE-2009-3238 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat p...

How severe is CVE-2009-3238?

CVE-2009-3238 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-3238?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Canonical Ubuntu Linux, Opensuse Opensuse, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server.