CVE-2017-0428 : An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32401526. References: N-CVE-2017-0428.

Published 2017-02-08 15:59:01

Updated 2019-10-03 00:03:26

Source Android (associated with Google Inc. or Open Handset Alliance)

View at NVD, CVE.org

Vulnerability category: Execute codeGain privilege

Products affected by CVE-2017-0428

Linux » Linux Kernel » Version: 3.10
cpe:2.3:o:linux:linux_kernel:3.10:*:*:*:*:*:*:*
Matching versions
Google » Android
Versions up to, including, (<=) 7.1.1
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2017-0428

Top countries where our scanners detected CVE-2017-0428

Top open port discovered on systems with this issue 49152

IPs affected by CVE-2017-0428 472

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2017-0428!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2017-0428

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 35 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-0428

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-0428

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-0428

http://www.securityfocus.com/bid/96070

Google Nexus NVIDIA GPU Driver Multiple Privilege Escalation Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securitytracker.com/id/1037798

Google Android Multiple Flaws Let Users Deny Service, Obtain Potentially Sensitive Information, and Gain Elevated Privileges and Let Remote Users Execute Arbitrary Code - SecurityTracker

CVEs referencing this url
https://source.android.com/security/bulletin/2017-02-01.html

Android Security Bulletin—February 2017 | Android Open Source Project
Patch;Vendor Advisory

CVEs referencing this url
http://nvidia.custhelp.com/app/answers/detail/a_id/4561

Security Bulletin: NVIDIA Tegra Jetson L4T contains multiple vulnerabilities; updates for “BlueBorne” and “Dnsmasq”. | NVIDIA

CVEs referencing this url