Vulnerability Details : CVE-2017-1000364

An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).

Vulnerability category: Overflow

Published 2017-06-19 16:29:00

Updated 2018-10-18 10:29:01

Source MITRE

View at NVD, CVE.org

At least one public exploit which can be used to exploit this vulnerability exists!

Exploit prediction scoring system (EPSS) score for CVE-2017-1000364

Probability of exploitation activity in the next 30 days: 0.24%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 61 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2017-1000364

Solaris RSH Stack Clash Privilege Escalation

Disclosure Date: 2017-06-19

First seen: 2020-04-26

exploit/solaris/local/rsh_stack_clash_priv_esc

This module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack

More information

CVSS scores for CVE-2017-1000364

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
6.2	MEDIUM	AV:L/AC:H/Au:N/C:C/I:C/A:C	1.9	10.0	nvd@nist.gov
Access Vector: Local Access Complexity: High Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.4	HIGH	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	1.4	5.9	nvd@nist.gov
Attack Vector: Local Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-1000364

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-1000364

https://www.exploit-db.com/exploits/45625/

Solaris - RSH Stack Clash Privilege Escalation (Metasploit)

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1483

RHSA-2017:1483 - Security Advisory - Red Hat Customer Portal
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03800en_us

HPESBHF03800 rev.1 - HPE Comware 7 MSR Routers, Remote Denial of Service and Local Elevation or Privilege

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1482

RHSA-2017:1482 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1489

RHSA-2017:1489 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1647

RHSA-2017:1647 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://www.suse.com/security/cve/CVE-2017-1000364/

CVE-2017-1000364 | SUSE
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1567

RHSA-2017:1567 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1491

RHSA-2017:1491 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1488

RHSA-2017:1488 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1487

RHSA-2017:1487 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.debian.org/security/2017/dsa-3886

Debian -- Security Information -- DSA-3886-1 linux

CVEs referencing this url
https://access.redhat.com/security/cve/CVE-2017-1000364

CVE-2017-1000364 - Red Hat Customer Portal
Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2017:1485

RHSA-2017:1485 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.securitytracker.com/id/1038724

Linux Kernel Small Stack Guard Page Lets Local Users Gain Elevated Privileges - SecurityTracker
https://www.suse.com/support/kb/doc/?id=7020973

SUSE products and a new security bug class referred to as "Stack Clash". | Support | SUSE
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1484

RHSA-2017:1484 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://kc.mcafee.com/corporate/index?page=content&id=SB10207

McAfee Security Bulletin - Threat Intelligence Exchange Server 2.1.0 Hotfix 1 update fixes Kernel related vulnerability and possible cross-site scripting attack (CVE-2017-1000364 and CVE-2017-3907)

CVEs referencing this url
http://www.securityfocus.com/bid/99130

Linux Kernel CVE-2017-1000364 Local Memory Corruption Vulnerability
Issue Tracking;VDB Entry
https://access.redhat.com/errata/RHSA-2017:1486

RHSA-2017:1486 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://kc.mcafee.com/corporate/index?page=content&id=SB10205

McAfee Security Bulletin - Web Gateway update fixes vulnerabilities CVE-2012-6706, CVE-2017-1000364, CVE-2017-1000366, and CVE-2017-1000368

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1616

RHSA-2017:1616 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1490

RHSA-2017:1490 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1712

RHSA-2017:1712 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url

Products affected by CVE-2017-1000364

Linux » Linux Kernel
Versions up to, including, (<=) 4.11.5
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions