Linux Kernel up to 4.11.5 offset2lib Patch execve Argument access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.3 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical has been found in Linux Kernel up to 4.11.5. Affected by this issue is the function execve of the component offset2lib Patch. Performing a manipulation as part of Argument results in access control.
This vulnerability is known as CVE-2017-1000370. Attacking locally is a requirement. Furthermore, an exploit is available.
It is recommended to upgrade the affected component.
Details
A vulnerability, which was classified as critical, was found in Linux Kernel up to 4.11.5 (Operating System). This affects the function execve of the component offset2lib Patch. The manipulation as part of a Argument leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.
The bug was discovered 06/19/2017. The weakness was published 06/19/2017 with Qualys (Website). It is possible to read the advisory at access.redhat.com. This vulnerability is uniquely identified as CVE-2017-1000370 since 06/19/2017. The exploitability is told to be easy. Attacking locally is a requirement. No form of authentication is needed for exploitation. Technical details and a public exploit are known. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
A public exploit has been developed by Qualys Corporation in ANSI C and been published 2 weeks after the advisory. The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 101068 (Fedora 24 : kernel (2017-05f10e29f4) (Stack Clash)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 370435 (Linux kernel / glibc Elevation of Privileges (Stack Clash) (Deprecated)).
Upgrading eliminates this vulnerability. A possible mitigation has been published 4 days after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Exploit-DB (42273), Tenable (101068) and SecurityFocus (BID 99149†). Similar entries are available at VDB-102672, VDB-102676 and VDB-102684. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.5VulDB Meta Temp Score: 6.3
VulDB Base Score: 5.3
VulDB Temp Score: 4.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Qualys Corporation
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 101068
Nessus Name: Fedora 24 : kernel (2017-05f10e29f4) (Stack Clash)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 53754
OpenVAS Name: Debian Security Advisory DSA 3981-1 (linux - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Timeline
06/19/2017 🔍06/19/2017 🔍
06/19/2017 🔍
06/19/2017 🔍
06/20/2017 🔍
06/20/2017 🔍
06/23/2017 🔍
06/28/2017 🔍
06/28/2017 🔍
06/28/2017 🔍
01/11/2025 🔍
Sources
Vendor: kernel.orgAdvisory: FEDORA-2017-05f10e29f4
Researcher: Qualys Inc
Organization: Qualys
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2017-1000370 (🔍)
GCVE (CVE): GCVE-0-2017-1000370
GCVE (VulDB): GCVE-100-102675
OVAL: 🔍
SecurityFocus: 99149 - Linux Kernel CVE-2017-1000370 Local Security Bypass Vulnerability
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 06/20/2017 08:07Updated: 01/11/2025 19:21
Changes: 06/20/2017 08:07 (88), 10/21/2019 16:48 (7), 12/29/2020 09:19 (2), 12/08/2022 15:48 (3), 01/11/2025 19:21 (14)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.