Vulnerability Details : CVE-2017-18367
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
Vulnerability category: Input validation
Products affected by CVE-2017-18367
- cpe:2.3:a:libseccomp-golang_project:libseccomp-golang:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-18367
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-18367
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-18367
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-18367
-
http://www.openwall.com/lists/oss-security/2019/04/25/6
oss-security - Re: CVE Request: golang-seccomp incorrectly handles multiple syscall argumentsMailing List;Patch;Third Party Advisory
-
https://github.com/seccomp/libseccomp-golang/issues/22
BUG: Handling of multiple syscall arguments incorrect (CVE-2017-18367) · Issue #22 · seccomp/libseccomp-golang · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4090
RHSA-2019:4090 - Security Advisory - Red Hat Customer Portal
-
https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
golang: Resolve bug with handling of multiple argument rules · seccomp/libseccomp-golang@06e7a29 · GitHubPatch;Third Party Advisory
-
https://usn.ubuntu.com/4574-1/
USN-4574-1: libseccomp-golang vulnerability | Ubuntu security notices | Ubuntu
-
https://access.redhat.com/errata/RHSA-2019:4087
RHSA-2019:4087 - Security Advisory - Red Hat Customer Portal
-
https://lists.debian.org/debian-lts-announce/2020/08/msg00016.html
[SECURITY] [DLA 2320-1] golang-github-seccomp-libseccomp-golang security update
Jump to