The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
http://www.debian.org/security/2017/dsa-3981
http://www.securityfocus.com/bid/99131
https://access.redhat.com/security/cve/CVE-2017-1000371
https://www.exploit-db.com/exploits/42273/
https://www.exploit-db.com/exploits/42276/
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Source: MITRE
Published: 2017-06-19
Updated: 2019-10-03
Type: NVD-CWE-noinfo
Base Score: 7.2
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Impact Score: 10
Exploitability Score: 3.9
Severity: HIGH
Base Score: 7.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 1.8
Severity: HIGH
OR
ID | Name | Product | Family | Severity |
---|---|---|---|---|
137217 | OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0020) (Stack Clash) | Nessus | OracleVM Local Security Checks | critical |
137173 | Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5708) (Stack Clash) | Nessus | Oracle Linux Local Security Checks | critical |
136804 | Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2020-037) | Nessus | Virtuozzo Local Security Checks | high |
136020 | CentOS 6 : kernel (CESA-2020:1524) (Stack Clash) | Nessus | CentOS Local Security Checks | high |
135959 | Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20200422) (Stack Clash) | Nessus | Scientific Linux Local Security Checks | high |
135957 | Oracle Linux 6 : kernel (ELSA-2020-1524) (Stack Clash) | Nessus | Oracle Linux Local Security Checks | high |
135910 | RHEL 6 : kernel (RHSA-2020:1524) | Nessus | Red Hat Local Security Checks | high |
104100 | Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826) | Nessus | Junos Local Security Checks | high |
103365 | Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash) | Nessus | Debian Local Security Checks | high |
101723 | Fedora 26 : kernel (2017-d3ed702fe4) (Stack Clash) | Nessus | Fedora Local Security Checks | high |
101068 | Fedora 24 : kernel (2017-05f10e29f4) (Stack Clash) | Nessus | Fedora Local Security Checks | high |
101037 | Fedora 25 : kernel (2017-d7bc1b3056) (Stack Clash) | Nessus | Fedora Local Security Checks | high |
100874 | Amazon Linux AMI : kernel (ALAS-2017-845) (Stack Clash) | Nessus | Amazon Linux Local Security Checks | high |