Vulnerability Details : CVE-2017-5985
lxc-user-nic in Linux Containers (LXC) allows local users with a lxc-usernet allocation to create network interfaces on the host and choose the name of those interfaces by leveraging lack of netns ownership check.
Exploit prediction scoring system (EPSS) score for CVE-2017-5985
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-5985
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST |
3.3
|
LOW | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
1.8
|
1.4
|
NIST |
CWE ids for CVE-2017-5985
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5985
-
https://lists.linuxcontainers.org/pipermail/lxc-devel/2017-March/015535.html
[lxc-devel] Security fix for CVE-2017-5985 (lxc-user-nic)Vendor Advisory
-
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676
Bug #1654676 “lxc-user-nic does not ensure that target netns is ...” : Bugs : lxc package : UbuntuThird Party Advisory
-
https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9
CVE-2017-5985: Ensure target netns is caller-owned · lxc/lxc@16af238 · GitHubIssue Tracking;Patch
-
http://www.openwall.com/lists/oss-security/2017/03/09/4
oss-security - LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownershipMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-3224-1
USN-3224-1: LXC vulnerability | Ubuntu security noticesThird Party Advisory
-
http://www.securityfocus.com/bid/96777
LXC 'lxc/lxc_user_nic.c' Remote Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html
[security-announce] openSUSE-SU-2019:1481-1: important: Security update
Products affected by CVE-2017-5985
- cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:*
- cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:*