Vulnerabilities > CVE-2017-17052 - Use After Free vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The mm_init function in kernel/fork.c in the Linux kernel before 4.12.10 does not clear the ->exe_file member of a new process's mm_struct, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0035.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0035 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 109158 published 2018-04-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109158 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2018-0035. # include("compat.inc"); if (description) { script_id(109158); script_version("1.7"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2016-10318", "CVE-2016-9191", "CVE-2017-0861", "CVE-2017-1000112", "CVE-2017-1000405", "CVE-2017-1000407", "CVE-2017-10661", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-12192", "CVE-2017-12193", "CVE-2017-14106", "CVE-2017-14140", "CVE-2017-14489", "CVE-2017-15115", "CVE-2017-15537", "CVE-2017-15649", "CVE-2017-16525", "CVE-2017-16526", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16530", "CVE-2017-16531", "CVE-2017-16532", "CVE-2017-16533", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16646", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-17052", "CVE-2017-17712", "CVE-2017-2618", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7482", "CVE-2017-7518", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7618", "CVE-2017-8824", "CVE-2018-1068"); script_name(english:"OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0035 for details." ); # https://oss.oracle.com/pipermail/oraclevm-errata/2018-April/000845.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?756979c2" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel-uek / kernel-uek-firmware packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/19"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-124.14.1.el6uek")) flag++; if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-124.14.1.el6uek")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4071.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 109156 published 2018-04-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109156 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071) (Dirty COW) (Meltdown) (Spectre) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0033.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - mlx4: change the ICM table allocations to lowest needed size (Daniel Jurgens) [Orabug: 27718305] - autofs: use dentry flags to block walks during expire (Ian Kent) - autofs races (Al Viro) [Orabug: 27766149] [Orabug: 27766149] - crypto: FIPS - allow tests to be disabled in FIPS mode (Stephan Mueller) [Orabug: 26182706] - crypto: rng - Zero seed in crypto_rng_reset (Herbert Xu) [Orabug: 26182706] - crypto: xts - consolidate sanity check for keys (Stephan Mueller) - fork: fix incorrect fput of ->exe_file causing use-after-free (Eric Biggers) [Orabug: 27290198] (CVE-2017-17052) - negotiate_mq should happen in all cases of a new VBD being discovered by xen-blkfront, whether called through _probe or a hot-attached new VBD from dom-0 via xenstore. Otherwise, hot-attached new VBDs are left configured without multi-queue. (Patrick Colp) [Orabug: 27383895] - rds: Fix NULL pointer dereference in __rds_rdma_map (Hå kon Bugge) - nvme: fix uninitialized prp2 value on small transfers (Jan H. Schö nherr) [Orabug: 27581008] - xen-netfront: Improve error handling during initialization (Ross Lagerwall) [Orabug: 27655820] - RDS: IB: Fix null pointer issue (Guanglei Li) [Orabug: 27636704] - mstflint: update Makefile and Kconfig (Qing Huang) [Orabug: 27656465] - target: add inquiry_product module param to override LIO default (Kyle Fortin) [Orabug: 27679482] - target: add inquiry_vendor module param to override LIO-ORG (Kyle Fortin) [Orabug: 27679482] - net/rds: Avoid copy overhead if send buff is full (Gerd Rausch) - IB/core: Avoid calling ib_query_device (Or Gerlitz) [Orabug: 27687710] - IB/core: Save the device attributes on the device structure (Ira Weiny) [Orabug: 27687710] - KVM: x86: fix singlestepping over syscall (Paolo Bonzini) [Orabug: 27669907] (CVE-2017-7518) (CVE-2017-7518) - xen/acpi: upload _PSD info for non-dom0 CPUs too (Joao Martins) - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 109114 published 2018-04-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109114 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0033) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1484.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS case when retrieving sset_count data. This allows local users to cause a denial of service (buffer overflow and memory corruption) or possibly have unspecified other impacts.(CVE-2017-18222i1/4%0 - A flaw was found in the way the Linux kernel last seen 2020-03-19 modified 2019-05-13 plugin id 124808 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124808 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1484) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4062.NASL description Description of changes: [4.1.12-112.16.7.el7uek] - mlx4: change the ICM table allocations to lowest needed size (Daniel Jurgens) [Orabug: 27718305] - autofs: use dentry flags to block walks during expire (Ian Kent) [Orabug: 26032471] [Orabug: 27766149] - autofs races (Al Viro) [Orabug: 27766149] [Orabug: 27766149] - crypto: FIPS - allow tests to be disabled in FIPS mode (Stephan Mueller) [Orabug: 26182706] - crypto: rng - Zero seed in crypto_rng_reset (Herbert Xu) [Orabug: 26182706] - crypto: xts - consolidate sanity check for keys (Stephan Mueller) [Orabug: 26182706] [4.1.12-112.16.6.el7uek] - fork: fix incorrect fput of ->exe_file causing use-after-free (Eric Biggers) [Orabug: 27290198] {CVE-2017-17052} - negotiate_mq should happen in all cases of a new VBD being discovered by xen-blkfront, whether called through _probe() or a hot-attached new VBD from dom-0 via xenstore. Otherwise, hot-attached new VBDs are left configured without multi-queue. (Patrick Colp) [Orabug: 27383895] - rds: Fix NULL pointer dereference in __rds_rdma_map (Hå kon Bugge) [Orabug: 27477007] - nvme: fix uninitialized prp2 value on small transfers (Jan H. Schö nherr) [Orabug: 27581008] - xen-netfront: Improve error handling during initialization (Ross Lagerwall) [Orabug: 27655820] - RDS: IB: Fix NULL pointer issue (Guanglei Li) [Orabug: 27636704] - mstflint: update Makefile and Kconfig (Qing Huang) [Orabug: 27656465] - target: add inquiry_product module param to override LIO default (Kyle Fortin) [Orabug: 27679482] - target: add inquiry_vendor module param to override LIO-ORG (Kyle Fortin) [Orabug: 27679482] - net/rds: Avoid copy overhead if send buff is full (Gerd Rausch) [Orabug: 27747176] [4.1.12-112.16.5.el7uek] - IB/core: Avoid calling ib_query_device (Or Gerlitz) [Orabug: 27687710] - IB/core: Save the device attributes on the device structure (Ira Weiny) [Orabug: 27687710] - KVM: x86: fix singlestepping over syscall (Paolo Bonzini) [Orabug: 27669907] {CVE-2017-7518} {CVE-2017-7518} - xen/acpi: upload _PSD info for non-dom0 CPUs too (Joao Martins) [Orabug: 27655757] - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 109008 published 2018-04-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109008 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4062)