Vulnerability Details : CVE-2016-4998
Public exploit exists!
The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2016-4998
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-4998
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 8 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2016-4998
-
Linux Kernel 4.6.3 Netfilter Privilege Escalation
Disclosure Date: 2016-06-03First seen: 2020-04-26exploit/linux/local/netfilter_priv_esc_ipv4This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_ta
CVSS scores for CVE-2016-4998
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:N/A:C |
3.9
|
7.8
|
NIST | |
7.1
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
1.8
|
5.2
|
NIST |
CWE ids for CVE-2016-4998
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-4998
-
http://rhn.redhat.com/errata/RHSA-2016-1875.html
RHSA-2016:1875 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-3019-1
USN-3019-1: Linux kernel (Utopic HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1883.html
RHSA-2016:1883 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-3016-4
USN-3016-4: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-3020-1
USN-3020-1: Linux kernel (Vivid HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-3017-2
USN-3017-2: Linux kernel (Raspberry Pi 2) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-3016-1
USN-3016-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
Oracle VM Server for x86 Bulletin - October 2016
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Oracle Linux Bulletin - October 2016
-
http://rhn.redhat.com/errata/RHSA-2016-1847.html
RHSA-2016:1847 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2016/06/24/5
oss-security - Linux CVE-2016-4997 (local privilege escalation) and CVE-2016-4998 (out of bounds memory access)
-
http://www.ubuntu.com/usn/USN-3016-3
USN-3016-3: Linux kernel (Qualcomm Snapdragon) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-3017-3
USN-3017-3: Linux kernel (Wily HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html
[security-announce] SUSE-SU-2016:2105-1: important: Security update for
-
http://www.ubuntu.com/usn/USN-3018-1
USN-3018-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1349886
1349886 – (CVE-2016-4998) CVE-2016-4998 kernel: out of bounds reads when processing IPT_SO_SET_REPLACE setsockoptIssue Tracking;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/91451
Linux Kernel Multiple Local Memory Corruption Vulnerabilities
-
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html
[security-announce] openSUSE-SU-2016:2184-1: important: Security update
-
http://www.securitytracker.com/id/1036171
Linux Kernel setsockopt() Bugs Let Local Users Deny Service and Gain Elevated Privileges - SecurityTracker
-
https://github.com/torvalds/linux/commit/6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
netfilter: x_tables: make sure e->next_offset covers remaining blob size · torvalds/linux@6e94e0c · GitHubPatch;Vendor Advisory
-
http://www.debian.org/security/2016/dsa-3607
Debian -- Security Information -- DSA-3607-1 linux
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
kernel/git/torvalds/linux.git - Linux kernel source tree
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
Oracle Linux Bulletin - July 2016Third Party Advisory
-
http://www.ubuntu.com/usn/USN-3017-1
USN-3017-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0036.html
RHSA-2017:0036 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-3018-2
USN-3018-2: Linux kernel (Trusty HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-3016-2
USN-3016-2: Linux kernel (Raspberry Pi 2) vulnerabilities | Ubuntu security noticesThird Party Advisory
Jump to