CVE-2017-1000112

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

References

http://seclists.org/oss-sec/2017/q3/277

http://www.debian.org/security/2017/dsa-3981

http://www.securityfocus.com/bid/100262

http://www.securitytracker.com/id/1039162

https://access.redhat.com/errata/RHSA-2017:2918

https://access.redhat.com/errata/RHSA-2017:2930

https://access.redhat.com/errata/RHSA-2017:2931

https://access.redhat.com/errata/RHSA-2017:3200

https://access.redhat.com/errata/RHSA-2019:1931

https://access.redhat.com/errata/RHSA-2019:1932

https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112

https://www.exploit-db.com/exploits/45147/

Details

Source: MITRE

Published: 2017-10-05

Updated: 2018-08-06

Type: CWE-362

Risk Information

CVSS v2

Base Score: 6.9

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.4

Severity: MEDIUM

CVSS v3

Base Score: 7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to 4.13.9 (inclusive)

Tenable Plugins

View all (76 total)

IDNameProductFamilySeverity
131980RHEL 7 : kernel (RHSA-2019:4159)NessusRed Hat Local Security Checks
high
127408NewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0143)NessusNewStart CGSL Local Security Checks
critical
127146NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)NessusNewStart CGSL Local Security Checks
critical
124821EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1498)NessusHuawei Local Security Checks
high
124806EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1482)NessusHuawei Local Security Checks
high
121724Photon OS 1.0: Linux PHSA-2017-0029NessusPhotonOS Local Security Checks
critical
111878Photon OS 1.0: Cassandra / Libxml2 / Linux / Ruby PHSA-2017-0029 (deprecated)NessusPhotonOS Local Security Checks
high
109158OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)NessusOracleVM Local Security Checks
high
109156Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071) (Dirty COW) (Meltdown) (Spectre)NessusOracle Linux Local Security Checks
high
108520Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)NessusJunos Local Security Checks
critical
105248OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash)NessusOracleVM Local Security Checks
high
105247Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash)NessusOracle Linux Local Security Checks
high
105172SUSE SLES11 Security Update : kernel (SUSE-SU-2017:3265-1) (KRACK)NessusSuSE Local Security Checks
critical
104623Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20171115)NessusScientific Linux Local Security Checks
high
104617Oracle Linux 6 : kernel (ELSA-2017-3200)NessusOracle Linux Local Security Checks
high
104583CentOS 6 : kernel (CESA-2017:3200)NessusCentOS Local Security Checks
high
104566RHEL 6 : kernel (RHSA-2017:3200)NessusRed Hat Local Security Checks
high
104453OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0167)NessusOracleVM Local Security Checks
high
104369Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3635)NessusOracle Linux Local Security Checks
high
104296EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)NessusHuawei Local Security Checks
high
104281EulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1256)NessusHuawei Local Security Checks
high
104202OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0163)NessusOracleVM Local Security Checks
high
104167Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3631)NessusOracle Linux Local Security Checks
high
104106CentOS 7 : kernel (CESA-2017:2930)NessusCentOS Local Security Checks
high
104090RHEL 6 : MRG (RHSA-2017:2918)NessusRed Hat Local Security Checks
high
104088Oracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne)NessusOracle Linux Local Security Checks
high
104030SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2791-1)NessusSuSE Local Security Checks
high
104015SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2775-1)NessusSuSE Local Security Checks
high
104008Scientific Linux Security Update : kernel on SL7.x x86_64 (20171019)NessusScientific Linux Local Security Checks
high
104004RHEL 7 : kernel-rt (RHSA-2017:2931)NessusRed Hat Local Security Checks
high
104003RHEL 7 : kernel (RHSA-2017:2930)NessusRed Hat Local Security Checks
high
104001Oracle Linux 7 : kernel (ELSA-2017-2930)NessusOracle Linux Local Security Checks
high
103365Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)NessusDebian Local Security Checks
high
103354SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)NessusSuSE Local Security Checks
critical
103301SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2511-1)NessusSuSE Local Security Checks
high
103300SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2510-1)NessusSuSE Local Security Checks
high
103299SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2509-1)NessusSuSE Local Security Checks
high
103298SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2508-1)NessusSuSE Local Security Checks
high
103297SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2506-1)NessusSuSE Local Security Checks
high
103296SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2500-1)NessusSuSE Local Security Checks
high
103295SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2499-1)NessusSuSE Local Security Checks
high
103294SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2498-1)NessusSuSE Local Security Checks
high
103293SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2497-1)NessusSuSE Local Security Checks
high
103248SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2476-1)NessusSuSE Local Security Checks
high
103247SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2475-1)NessusSuSE Local Security Checks
high
103214SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2448-1)NessusSuSE Local Security Checks
high
103213SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2447-1)NessusSuSE Local Security Checks
high
103212SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2446-1)NessusSuSE Local Security Checks
high
103211SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2443-1)NessusSuSE Local Security Checks
high
103210SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2442-1)NessusSuSE Local Security Checks
high
103186SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2441-1)NessusSuSE Local Security Checks
high
103185SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2440-1)NessusSuSE Local Security Checks
high
103184SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2439-1)NessusSuSE Local Security Checks
high
103183SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2438-1)NessusSuSE Local Security Checks
high
103182SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2437-1)NessusSuSE Local Security Checks
high
103181SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2436-1)NessusSuSE Local Security Checks
high
103180SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2424-1)NessusSuSE Local Security Checks
high
103179SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2423-1)NessusSuSE Local Security Checks
high
102922Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-076)NessusVirtuozzo Local Security Checks
high
102838SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2286-1)NessusSuSE Local Security Checks
high
102718Fedora 25 : kernel (2017-73f71456d7)NessusFedora Local Security Checks
high
102717Fedora 26 : kernel (2017-4336d64e21)NessusFedora Local Security Checks
high
102593Virtuozzo 7 : readykernel-patch (VZA-2017-073)NessusVirtuozzo Local Security Checks
high
102592Virtuozzo 7 : readykernel-patch (VZA-2017-072)NessusVirtuozzo Local Security Checks
high
102591Virtuozzo 7 : readykernel-patch (VZA-2017-071)NessusVirtuozzo Local Security Checks
high
102510openSUSE Security Update : the Linux Kernel (openSUSE-2017-930)NessusSuSE Local Security Checks
high
102509openSUSE Security Update : the Linux Kernel (openSUSE-2017-929)NessusSuSE Local Security Checks
high
102478SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2150-1)NessusSuSE Local Security Checks
high
102475SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2142-1)NessusSuSE Local Security Checks
high
102422Ubuntu 14.04 LTS : linux vulnerabilities (USN-3386-1)NessusUbuntu Local Security Checks
high
102421Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3385-2)NessusUbuntu Local Security Checks
high
102420Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3385-1)NessusUbuntu Local Security Checks
high
102419Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3384-2)NessusUbuntu Local Security Checks
high
102418Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3384-1)NessusUbuntu Local Security Checks
high
102415SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2131-1)NessusSuSE Local Security Checks
high
102367Amazon Linux AMI : kernel (ALAS-2017-868)NessusAmazon Linux Local Security Checks
high