CVE-2020-16166 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2020-16166?

CVE-2020-16166 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-16166?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Opensuse Leap, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.

Vulnerability Description

The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	<= 5.7.11
Opensuse	Leap	15.1
Fedoraproject	Fedora	31
Debian	Debian Linux	9.0
Canonical	Ubuntu Linux	14.04
Netapp	Active Iq Unified Manager	>= 9.5
Netapp	Cloud Volumes Ontap Mediator	-
Netapp	E-Series Santricity Os Controller	>= 11.0.0, <= 11.60.3
Netapp	Hci Bootstrap Os	-
Netapp	Hci Management Node	-
Netapp	Solidfire	-
Netapp	Steelstore Cloud Integrated Storage	-
Netapp	Storagegrid	<= 9.0.4
Netapp	H410C Firmware	-
Netapp	H410C	-
Oracle	Sd-Wan Edge	8.2

Related Weaknesses (CWE)

CWE-330

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00047.htmlMailing ListThird Party Advisory
https://arxiv.org/pdf/2012.07432.pdfTechnical DescriptionThird Party Advisory
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f227ePatchVendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5PatchVendor Advisory
https://github.com/torvalds/linux/commit/f227e3ec3b5cad859ad15666874405e8c1bbc1dPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00025.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00032.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00034.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.netapp.com/advisory/ntap-20200814-0004/Third Party Advisory
https://usn.ubuntu.com/4525-1/Third Party Advisory
https://usn.ubuntu.com/4526-1/Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-16166?

CVE-2020-16166 is a vulnerability with a CVSS score of 3.7 (LOW). The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is relate...

How severe is CVE-2020-16166?

CVE-2020-16166 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-16166?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Opensuse Leap, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.