CVE-2017-6347 in Linuxinfo

Summary

by MITRE

The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 09/03/2020

The vulnerability described in CVE-2017-6347 resides within the Linux kernel's networking stack, specifically in the ip_cmsg_recv_checksum function located in net/ipv4/ip_sockglue.c. This flaw represents a critical buffer over-read condition that affects Linux kernel versions prior to 4.10.1, creating a significant security risk for systems running vulnerable kernel versions. The issue manifests when the kernel processes incoming network packets through the socket interface, particularly when handling certain combinations of system calls and packet transmission methods.

The technical root cause of this vulnerability stems from incorrect assumptions made by the kernel regarding the layout and structure of socket buffer (skb) data. When the ip_cmsg_recv_checksum function processes incoming packets, it makes faulty assumptions about how packet data is organized in memory, leading to improper bounds checking during data processing. This improper handling occurs specifically when the MSG_MORE flag is used in conjunction with loopback UDP transmission, creating a scenario where the kernel attempts to read beyond the allocated buffer boundaries. The vulnerability is classified as a buffer over-read because the function accesses memory locations that extend beyond the actual allocated buffer space, potentially causing system instability or unpredictable behavior.

The operational impact of this vulnerability extends beyond simple denial of service, as it could potentially enable more sophisticated attacks depending on the system configuration and execution environment. Local attackers with access to the system can exploit this vulnerability to trigger buffer over-read conditions that may result in kernel crashes, system hangs, or in some cases, could potentially be leveraged to execute arbitrary code or escalate privileges. The vulnerability affects systems that utilize loopback UDP transmission with the MSG_MORE flag, which is commonly found in various networking applications and system services. This makes the attack surface broader as many legitimate network operations could inadvertently trigger the vulnerable code path.

The exploitation of this vulnerability aligns with several tactics described in the MITRE ATT&CK framework, particularly those related to privilege escalation and denial of service attacks. From a CWE perspective, this represents a classic buffer over-read flaw classified as CWE-125, where an application reads data past the end of a buffer. The vulnerability demonstrates how improper memory management and insufficient bounds checking in kernel space can create serious security implications. Organizations should immediately apply the kernel patch released in version 4.10.1 to address this vulnerability. System administrators should also implement monitoring for unusual network behavior or kernel crashes that might indicate exploitation attempts. Additional mitigations include restricting local user access where possible and implementing proper kernel security modules to detect and prevent abnormal memory access patterns. Regular kernel updates and security assessments remain crucial for maintaining system integrity against similar vulnerabilities in the networking subsystem.

Reservation

02/26/2017

Disclosure

03/01/2017

Moderation

accepted

Entry

VDB-97447

CPE

ready

EPSS

0.00438

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!