Linux Kernel up to 4.9.11 net/dccp/input.c dccp_rcv_state_process Free use after free
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
5.0 | $0-$5k | 0.00 |
A vulnerability was found in Linux Kernel up to 4.9.11 (Operating System). It has been rated as problematic. Affected by this issue is the function dccp_rcv_state_process
of the file net/dccp/input.c. The manipulation with an unknown input leads to a use after free vulnerability (Free). Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Impacted is availability. CVE summarizes:
The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to cause a denial of service (invalid free) or possibly have unspecified other impact via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
The bug was discovered 02/17/2017. The weakness was presented 02/18/2017 as not defined mailinglist post (oss-sec). The advisory is available at seclists.org. This vulnerability is handled as CVE-2017-6074 since 02/17/2017. Local access is required to approach this attack. The successful exploitation requires a simple authentication. Technical details as well as a public exploit are known.
A public exploit has been developed in ANSI C. The exploit is available at securityfocus.com. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 97415 (Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20170224)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Scientific Linux Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 351446 (Amazon Linux Security Advisory for kernel: ALAC2012-2018-012).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. A possible mitigation has been published before and not just after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Tenable (97415) and Exploit-DB (41457). See 79791, 95830, 96555 and 96560 for similar entries.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.4
VulDB Base Score: 3.3
VulDB Temp Score: 3.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: FreeClass: Use after free / Free
CWE: CWE-416 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Local: Yes
Remote: No
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 97415
Nessus Name: Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20170224)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 900211
OpenVAS Name: SuSE Update for Linux Kernel openSUSE-SU-2017:0547-1 (Linux Kernel)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: github.com
Timeline
02/17/2017 🔍02/17/2017 🔍
02/17/2017 🔍
02/18/2017 🔍
02/18/2017 🔍
02/19/2017 🔍
02/19/2017 🔍
02/20/2017 🔍
02/27/2017 🔍
Sources
Vendor: kernel.orgAdvisory: seclists.org
Status: Not defined
Confirmation: 🔍
CVE: CVE-2017-6074 (🔍)
OVAL: 🔍
SecurityFocus: 96310 - Linux Kernel CVE-2017-6074 Local Denial of Service Vulnerability
OSVDB: - CVE-2017-6074 - Linux - Double Free Issue
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 02/19/2017 09:31Changes: 02/19/2017 09:31 (90)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.