Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2013-4345 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2 may address this issue.
| Base Score | 2.6 |
|---|---|
| Base Metrics | AV:L/AC:H/Au:N/C:P/I:P/A:N |
| Access Vector | Local |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (kernel) | RHSA-2013:1645 | 2013-11-20 |
| Red Hat MRG Grid for RHEL 6 Server v.2 (kernel-rt) | RHSA-2013:1490 | 2013-10-31 |
| Red Hat Enterprise Linux 5 (kernel) | RHSA-2013:1449 | 2013-10-22 |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | kernel | Not affected |
Vulmon