Vulnerability Details : CVE-2017-16995
Public exploit exists!
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
Vulnerability category: OverflowMemory CorruptionDenial of service
Products affected by CVE-2017-16995
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-16995
83.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-16995
-
Linux BPF Sign Extension Local Privilege Escalation
Disclosure Date: 2017-11-12First seen: 2020-04-26exploit/linux/local/bpf_sign_extension_priv_escLinux kernel prior to 4.14.8 contains a vulnerability in the Berkeley Packet Filter (BPF) verifier. The `check_alu_op` function performs incorrect sign extension which allows the verifier to be bypassed, leading to arbitrary kernel read/write. The
CVSS scores for CVE-2017-16995
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2017-16995
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-16995
-
http://openwall.com/lists/oss-security/2017/12/21/2
oss-security - Linux >=4.9: eBPF memory corruption bugsMailing List;Third Party Advisory
-
https://www.exploit-db.com/exploits/45010/
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege EscalationThird Party Advisory;VDB Entry
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f
kernel/git/torvalds/linux.git - Linux kernel source treeVendor Advisory
-
https://github.com/torvalds/linux/commit/95a762e2c8c942780948091f8f2a4f32fce1ac6f
bpf: fix incorrect sign extension in check_alu_op() · torvalds/linux@95a762e · GitHubThird Party Advisory
-
https://usn.ubuntu.com/3633-1/
USN-3633-1: Linux kernel (Intel Euclid) vulnerability | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/3619-1/
USN-3619-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/3619-2/
USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.exploit-db.com/exploits/44298/
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege EscalationThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/45058/
Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)Third Party Advisory;VDB Entry
-
https://usn.ubuntu.com/usn/usn-3523-2/
USN-3523-2: Linux kernel (HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
1454 - arbitrary read+write via incorrect range tracking in eBPF - project-zero - MonorailThird Party Advisory
-
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=a6132276ab5dcc38b3299082efeb25b948263adb
kernel/git/tip/tip.git - Unnamed repository; edit this file 'description' to name the repository.Vendor Advisory
-
https://www.debian.org/security/2017/dsa-4073
Debian -- Security Information -- DSA-4073-1 linuxThird Party Advisory
-
http://www.securityfocus.com/bid/102288
Linux Kernel CVE-2017-16995 Local Memory Corruption VulnerabilityThird Party Advisory;VDB Entry
Jump to