FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libXdmcp -- insufficient entropy generating session keys

Affected packages
libXdmcp < 1.1.3

Details

VuXML ID 1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335
Discovery 2017-04-04
Entry 2019-03-21
Modified 2019-03-22

The freedesktop and x.org project reports:

It was discovered that libXdmcp before 1.1.3 used weak entropy to generate session keys on platforms without arc4random_buf() but with getentropy(). On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions.

Please note, that since FreeBSD provides arc4random_buf(), it is unknown if FreeBSD is affected by this vulnerability

References

CVE Name CVE-2017-2625
URL https://lists.x.org/archives/xorg-announce/2019-March/002974.html
URL https://nvd.nist.gov/vuln/detail/CVE-2017-2625