CVE-2017-1000405

MEDIUM

Description

The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.

References

http://www.securityfocus.com/bid/102032

http://www.securitytracker.com/id/1040020

https://access.redhat.com/errata/RHSA-2018:0180

https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0

https://source.android.com/security/bulletin/pixel/2018-02-01

https://www.exploit-db.com/exploits/43199/

Details

Source: MITRE

Published: 2017-11-30

Updated: 2018-02-13

Type: CWE-362

Risk Information

CVSS v2.0

Base Score: 6.9

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.4

Severity: MEDIUM

CVSS v3.0

Base Score: 7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from 2.6.38 to 4.14 (inclusive)

Tenable Plugins

View all (36 total)

IDNameProductFamilySeverity
124828EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)NessusHuawei Local Security Checks
critical
121792Photon OS 2.0: Linux PHSA-2017-2.0-0008NessusPhotonOS Local Security Checks
medium
121780Photon OS 1.0: Linux PHSA-2017-1.0-0093NessusPhotonOS Local Security Checks
high
111906Photon OS 2.0: Binutils / Linux / Wget PHSA-2017-2.0-0008 (deprecated)NessusPhotonOS Local Security Checks
medium
111903Photon OS 1.0: Apr / Krb5 / Linux / Ncurses / Subversion PHSA-2017-1.0-0093 (deprecated)NessusPhotonOS Local Security Checks
high
109158OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)NessusOracleVM Local Security Checks
high
109156Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071) (Dirty COW) (Meltdown) (Spectre)NessusOracle Linux Local Security Checks
high
109127Amazon Linux 2 : kernel (ALAS-2018-956) (Dirty COW) (Spectre)NessusAmazon Linux Local Security Checks
medium
106933Amazon Linux AMI : kernel (ALAS-2018-956) (Dirty COW) (Spectre)NessusAmazon Linux Local Security Checks
medium
106052Virtuozzo 7 : readykernel-patch (VZA-2018-004)NessusVirtuozzo Local Security Checks
critical
105954Fedora 27 : kernel (2017-b0c1f44130) (Dirty COW)NessusFedora Local Security Checks
medium
105422Amazon Linux AMI : kernel (ALAS-2017-937) (Dirty COW)NessusAmazon Linux Local Security Checks
high
105364openSUSE Security Update : the Linux Kernel (openSUSE-2017-1391) (Dirty COW)NessusSuSE Local Security Checks
high
105355Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws regression (USN-3509-4) (Dirty COW)NessusUbuntu Local Security Checks
high
105354Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2 regression (USN-3509-3) (Dirty COW)NessusUbuntu Local Security Checks
high
105344openSUSE Security Update : the Linux Kernel (openSUSE-2017-1390) (Dirty COW)NessusSuSE Local Security Checks
high
105248OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash)NessusOracleVM Local Security Checks
high
105247Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash)NessusOracle Linux Local Security Checks
high
105167Virtuozzo 7 : readykernel-patch (VZA-2017-111)NessusVirtuozzo Local Security Checks
high
105166Virtuozzo 7 : readykernel-patch (VZA-2017-110)NessusVirtuozzo Local Security Checks
high
105165Virtuozzo 7 : readykernel-patch (VZA-2017-109)NessusVirtuozzo Local Security Checks
high
105150SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3249-1) (Dirty COW)NessusSuSE Local Security Checks
high
105146OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0172) (Dirty COW)NessusOracleVM Local Security Checks
high
105143Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3651) (Dirty COW)NessusOracle Linux Local Security Checks
high
105107Ubuntu 16.04 LTS : linux-azure vulnerabilities (USN-3511-1) (Dirty COW)NessusUbuntu Local Security Checks
high
105106Ubuntu 14.04 LTS : linux vulnerabilities (USN-3510-1) (Dirty COW)NessusUbuntu Local Security Checks
high
105105Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3509-2) (Dirty COW)NessusUbuntu Local Security Checks
high
105104Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3509-1) (Dirty COW)NessusUbuntu Local Security Checks
high
105103Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3508-2) (Dirty COW)NessusUbuntu Local Security Checks
high
105102Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3508-1) (Dirty COW)NessusUbuntu Local Security Checks
high
105101Ubuntu 16.04 LTS : linux-gcp vulnerabilities (USN-3507-2) (Dirty COW)NessusUbuntu Local Security Checks
high
105100Ubuntu 17.10 : linux, linux-raspi2 vulnerabilities (USN-3507-1) (Dirty COW)NessusUbuntu Local Security Checks
high
105073SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3226-1) (Dirty COW)NessusSuSE Local Security Checks
high
105072SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3225-1) (Dirty COW)NessusSuSE Local Security Checks
high
105020SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3210-1) (Dirty COW)NessusSuSE Local Security Checks
high
105013Fedora 26 : kernel (2017-9ea11e444d) (Dirty COW)NessusFedora Local Security Checks
medium