CVE-2008-5162

HIGH

FreeBSD 6.3-7.1 - Use of Insufficiently Random Values in arc4random Function

Title source: llm

Description

The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does not have a proper entropy source for a short time period immediately after boot, which makes it easier for attackers to predict the function's return values and conduct certain attacks against the GEOM framework and various network protocols, related to the Yarrow random number generator.

References (5)

Core 5

Core References

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/32871

Vendor Advisory vendor-advisory x_refsource_freebsd

http://security.freebsd.org/advisories/FreeBSD-SA-08:11.arc4random.asc

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1021276

Broken Link vdb-entry x_refsource_osvdb

http://osvdb.org/50137

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/32447

Scores

CVSS v3 7.0

EPSS 0.0006

EPSS Percentile 19.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-330

Status published

Products (4)

freebsd/freebsd 6.3 (6 CPE variants)

freebsd/freebsd 7.0 (5 CPE variants)

freebsd/freebsd 7.1 (18 CPE variants)

freebsd/freebsd 6.4 - 7.0

Published Nov 26, 2008

Tracked Since Feb 18, 2026