CVE-2017-11473 in Android
Summary
by MITRE • 01/25/2023
Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/25/2023
The vulnerability identified as CVE-2017-11473 represents a critical buffer overflow flaw within the Linux kernel's ACPI (Advanced Configuration and Power Interface) subsystem. This issue exists in the mp_override_legacy_irq() function located in arch/x86/kernel/acpi/boot.c, affecting Linux kernel versions through 4.12.2. The flaw specifically manifests when processing crafted ACPI tables, creating a pathway for local attackers to escalate their privileges within the system. The vulnerability stems from inadequate input validation and bounds checking during the parsing of ACPI table entries, particularly those related to interrupt override configurations. The buffer overflow occurs when the kernel attempts to store interrupt override information from an ACPI table into a fixed-size buffer without proper verification of the input data length. This type of vulnerability falls under CWE-121, which describes stack-based buffer overflow conditions, and represents a classic example of improper input validation leading to privilege escalation.
The operational impact of this vulnerability extends beyond simple local privilege escalation, as it provides attackers with the ability to execute arbitrary code with kernel-level privileges. When a maliciously crafted ACPI table is loaded by the system, the buffer overflow corrupts adjacent memory regions, potentially allowing an attacker to overwrite critical kernel data structures or function pointers. The attack vector requires local system access and the ability to influence ACPI table loading, which typically occurs during system boot or when ACPI tables are dynamically updated. This vulnerability is particularly concerning because it operates at the kernel level, where successful exploitation can result in complete system compromise and persistent access. The flaw can be exploited through various means including malicious firmware updates, crafted boot parameters, or by manipulating ACPI table files that are loaded during system initialization. The vulnerability's presence in the kernel's boot process makes it especially dangerous as it can be triggered even before normal security mechanisms are fully operational.
Mitigation strategies for CVE-2017-11473 should focus on both immediate patching and system hardening measures. The primary solution involves upgrading to a Linux kernel version that includes the fix for this vulnerability, typically kernel 4.12.3 or later. Organizations should implement robust kernel update policies and ensure all systems are promptly patched. Additionally, system administrators should consider disabling unnecessary ACPI features and implementing strict ACPI table validation mechanisms. The vulnerability demonstrates the importance of input validation in kernel space code and aligns with ATT&CK technique T1068, which covers privilege escalation through kernel vulnerabilities. Security monitoring should include detection of unusual ACPI table loading activities and memory corruption patterns. System hardening measures such as kernel address space layout randomization (KASLR), control flow integrity (CFI), and kernel module signing can provide additional defense-in-depth layers. Organizations should also implement regular security assessments of their kernel configurations and ensure that only trusted ACPI tables are loaded into the system, particularly in environments where physical access controls are not strictly enforced. The vulnerability serves as a reminder of the critical importance of maintaining up-to-date kernel versions and implementing comprehensive security controls around system boot processes and firmware management.