It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Link | Tags |
|---|---|
| https://security.gentoo.org/glsa/201704-03 | third party advisory vendor advisory |
| https://gitlab.freedesktop.org/xorg/xserver/commit/d7ac755f0b618eb1259d93c8a16ec6e39a18627c | third party advisory patch |
| http://www.securitytracker.com/id/1037919 | vdb entry third party advisory |
| https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html | third party advisory mailing list |
| https://security.gentoo.org/glsa/201710-30 | third party advisory vendor advisory |
| http://www.securityfocus.com/bid/96480 | vdb entry third party advisory |
| https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ | third party advisory exploit |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2624 | issue tracking exploit third party advisory |