CVE-2017-7184

HIGH

Description

The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df

http://openwall.com/lists/oss-security/2017/03/29/2

http://www.eweek.com/security/ubuntu-linux-falls-on-day-1-of-pwn2own-hacking-competition

http://www.securityfocus.com/bid/97018

http://www.securitytracker.com/id/1038166

https://access.redhat.com/errata/RHSA-2017:2918

https://access.redhat.com/errata/RHSA-2017:2930

https://access.redhat.com/errata/RHSA-2017:2931

https://blog.trendmicro.com/results-pwn2own-2017-day-one/

https://github.com/torvalds/linux/commit/677e806da4d916052585301785d847c3b3e6186a

https://github.com/torvalds/linux/commit/f843ee6dd019bcece3e74e76ad9df0155655d0df

https://source.android.com/security/bulletin/2017-05-01

https://twitter.com/thezdi/status/842126074435665920

Details

Source: MITRE

Published: 2017-03-19

Updated: 2019-10-03

Risk Information

CVSS v2.0

Base Score: 7.2

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.9

Severity: HIGH

CVSS v3.0

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.8

Severity: HIGH

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:o:linux:linux_kernel:4.8:*:*:*:*:*:*:*

OR

cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*

Tenable Plugins

View all (46 total)

IDNameProductFamilySeverity
131980RHEL 7 : kernel (RHSA-2019:4159)NessusRed Hat Local Security Checks
high
127146NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)NessusNewStart CGSL Local Security Checks
critical
124992EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1539)NessusHuawei Local Security Checks
critical
121680Photon OS 1.0: Linux PHSA-2017-0011NessusPhotonOS Local Security Checks
high
111860Photon OS 1.0: Krb5 / Linux PHSA-2017-0011 (deprecated)NessusPhotonOS Local Security Checks
high
104106CentOS 7 : kernel (CESA-2017:2930)NessusCentOS Local Security Checks
high
104090RHEL 6 : MRG (RHSA-2017:2918)NessusRed Hat Local Security Checks
high
104088Oracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne)NessusOracle Linux Local Security Checks
critical
104008Scientific Linux Security Update : kernel on SL7.x x86_64 (20171019)NessusScientific Linux Local Security Checks
high
104004RHEL 7 : kernel-rt (RHSA-2017:2931)NessusRed Hat Local Security Checks
high
104003RHEL 7 : kernel (RHSA-2017:2930)NessusRed Hat Local Security Checks
high
104001Oracle Linux 7 : kernel (ELSA-2017-2930)NessusOracle Linux Local Security Checks
high
103354SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)NessusSuSE Local Security Checks
critical
102774OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)NessusOracleVM Local Security Checks
critical
102773Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609) (Stack Clash)NessusOracle Linux Local Security Checks
critical
100238OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)NessusOracleVM Local Security Checks
critical
100237OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0105)NessusOracleVM Local Security Checks
critical
100235Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)NessusOracle Linux Local Security Checks
critical
100234Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3566)NessusOracle Linux Local Security Checks
critical
100214SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1301-1)NessusSuSE Local Security Checks
high
99733Debian DLA-922-1 : linux security updateNessusDebian Local Security Checks
high
99392OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0062)NessusOracleVM Local Security Checks
high
99389Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3539)NessusOracle Linux Local Security Checks
high
99177Fedora 25 : kernel (2017-93dec9eba5)NessusFedora Local Security Checks
high
99174Fedora 24 : kernel (2017-02174df32f)NessusFedora Local Security Checks
high
99173Virtuozzo 7 : readykernel-patch (VZA-2017-026)NessusVirtuozzo Local Security Checks
high
99157openSUSE Security Update : the Linux Kernel (openSUSE-2017-419)NessusSuSE Local Security Checks
high
99156openSUSE Security Update : the Linux Kernel (openSUSE-2017-418)NessusSuSE Local Security Checks
high
99120SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0889-1)NessusSuSE Local Security Checks
high
99119SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0888-1)NessusSuSE Local Security Checks
high
99118SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0881-1)NessusSuSE Local Security Checks
high
99117SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0880-1)NessusSuSE Local Security Checks
high
99116SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0876-1)NessusSuSE Local Security Checks
high
99115SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0875-1)NessusSuSE Local Security Checks
high
99114SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0873-1)NessusSuSE Local Security Checks
high
99101Ubuntu 16.04 LTS : linux-hwe vulnerability (USN-3251-2)NessusUbuntu Local Security Checks
high
99100Ubuntu 16.10 : linux, linux-raspi2 vulnerability (USN-3251-1)NessusUbuntu Local Security Checks
high
99099Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-3250-2)NessusUbuntu Local Security Checks
high
99098Ubuntu 14.04 LTS : linux vulnerability (USN-3250-1)NessusUbuntu Local Security Checks
high
99097Ubuntu 14.04 LTS : linux-lts-xenial vulnerability (USN-3249-2)NessusUbuntu Local Security Checks
high
99096Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerability (USN-3249-1)NessusUbuntu Local Security Checks
high
99095Ubuntu 12.04 LTS : linux, linux-ti-omap4 vulnerability (USN-3248-1)NessusUbuntu Local Security Checks
high
99092SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0866-1)NessusSuSE Local Security Checks
high
99091SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0865-1)NessusSuSE Local Security Checks
high
99090SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0864-1)NessusSuSE Local Security Checks
high
99038Amazon Linux AMI : kernel (ALAS-2017-811)NessusAmazon Linux Local Security Checks
high