CVE-2017-7184
Description
The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 4.9.20-1 | |
| sles | affected | | |
| debian | bookworm | fixed | 4.9.18-1 |
| debian | bullseye | fixed | 4.9.18-1 |
| debian | forky | fixed | 4.9.18-1 |
| debian | sid | fixed | 4.9.18-1 |
| debian | trixie | fixed | 4.9.18-1 |
| linux-kernel | 4.8 | affected | |
| linux-kernel | affected | 3.2.89 | |
| ubuntu | 16.10 | not-affected | |
References
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df
- http://openwall.com/lists/oss-security/2017/03/29/2
- http://www.eweek.com/security/ubuntu-linux-falls-on-day-1-of-pwn2own-hacking-competition
- http://www.securityfocus.com/bid/97018
- http://www.securitytracker.com/id/1038166
- https://access.redhat.com/errata/RHSA-2017:2918
- https://access.redhat.com/errata/RHSA-2017:2930
- https://access.redhat.com/errata/RHSA-2017:2931
- https://access.redhat.com/errata/RHSA-2019:4159
- https://blog.trendmicro.com/results-pwn2own-2017-day-one/
- https://github.com/torvalds/linux/commit/677e806da4d916052585301785d847c3b3e6186a
- https://github.com/torvalds/linux/commit/f843ee6dd019bcece3e74e76ad9df0155655d0df
- https://source.android.com/security/bulletin/2017-05-01
- https://twitter.com/thezdi/status/842126074435665920
- https://www.suse.com/security/cve/CVE-2017-7184.html
- https://security-tracker.debian.org/tracker/CVE-2017-7184
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.