xfrm_user: validate XFRM_MSG_NEWAE ... CVE-2017-7184 [released]

Tracked by Jolla (In release)

asked 2017-05-03 12:24:13 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-05-03 12:26:15 +0300

lpr gravatar image


The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package

This is confirmed in link and link

Only vulnerable if unprivileged user namespaces are enabled.

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by lpr
close date 2017-06-14 18:08:28.041268


released inämsänjoki

lpr ( 2017-06-14 18:08:17 +0300 )edit