CVE-2017-7472 in Linux
Summary
by MITRE
The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/21/2024
The vulnerability described in CVE-2017-7472 resides within the Linux kernel's KEY subsystem, specifically affecting versions prior to 4.10.13. This issue represents a classic resource exhaustion attack vector that exploits the kernel's handling of keyring requests. The vulnerability manifests when local users execute a sequence of keyctl_set_reqkey_keyring system calls with the KEY_REQKEY_DEFL_THREAD_KEYRING parameter, leading to unbounded memory consumption within the kernel space. The KEYS subsystem serves as a critical component for managing cryptographic keys and credentials across the Linux operating system, making this vulnerability particularly concerning for system stability and availability.
The technical flaw stems from insufficient bounds checking and memory management within the kernel's keyring request handling mechanism. When KEY_REQKEY_DEFL_THREAD_KEYRING is used in consecutive keyctl_set_reqkey_keyring calls, the kernel fails to properly track or limit the memory allocated for these requests. This creates a condition where each successive call consumes additional kernel memory without proper cleanup or resource limitation. The vulnerability operates at the kernel level, meaning that local users with minimal privileges can exploit this weakness to exhaust available memory resources. The flaw is categorized under CWE-400 as an unspecified resource exhaustion issue, specifically manifesting as memory consumption without proper bounds enforcement.
The operational impact of this vulnerability extends beyond simple denial of service to potentially destabilize entire systems. Local attackers can repeatedly invoke the vulnerable keyctl system call to consume available kernel memory, eventually leading to system instability, application crashes, or complete system hangs. This type of attack is particularly dangerous in multi-user environments or systems where unprivileged users have access to shell sessions. The vulnerability affects systems running Linux kernel versions between 2.6.32 and 4.10.12, representing a significant portion of widely deployed kernel versions. From an attack perspective, this vulnerability aligns with ATT&CK technique T1499.001 for resource exhaustion, specifically targeting system memory resources to achieve denial of service conditions.
Mitigation strategies for CVE-2017-7472 focus primarily on kernel version upgrades to 4.10.13 or later, which contain the necessary patches to prevent the unbounded memory consumption. System administrators should also consider implementing monitoring solutions to detect unusual patterns of keyctl system calls that might indicate exploitation attempts. Additionally, access controls and privilege restrictions can limit the ability of untrusted users to execute potentially malicious keyctl operations. The fix implemented in the patched kernel versions addresses the root cause by introducing proper memory accounting and limiting the number of keyring requests that can be processed within a given timeframe. Organizations should also review their keyring configurations and ensure that unnecessary keyring operations are disabled or restricted to prevent exploitation opportunities.