CVE-2017-5669 : The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not r

The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.

Published 2017-02-24 15:59:00

Updated 2020-10-09 14:49:29

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2017-5669

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions before (<) 4.11
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-5669

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 14 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-5669

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2017-5669

https://github.com/torvalds/linux/commit/95e91b831f87ac8e1f8ed50c14d709089b4e01b8

ipc/shm: Fix shmat mmap nil-page protection · torvalds/linux@95e91b8 · GitHub
Patch;Third Party Advisory
https://usn.ubuntu.com/3583-1/

USN-3583-1: Linux kernel vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1037918

Linux Kernel do_shmat() Flaw Lets Local Users Bypass Security Restrictions - SecurityTracker
Third Party Advisory;VDB Entry
https://bugzilla.kernel.org/show_bug.cgi?id=192931

192931 – Shmat allows mmap null page protection bypass
Issue Tracking;Patch;Vendor Advisory
http://www.debian.org/security/2017/dsa-3804

Debian -- Security Information -- DSA-3804-1 linux
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/96754

Linux Kernel CVE-2017-5669 Local Security Bypass Vulnerability
Third Party Advisory;VDB Entry
https://github.com/torvalds/linux/commit/e1d35d4dc7f089e6c9c080d556feedf9c706f0c7

ipc/shm: Fix shmat mmap nil-page protection · torvalds/linux@e1d35d4 · GitHub
Patch;Third Party Advisory
https://usn.ubuntu.com/3583-2/

USN-3583-2: Linux kernel (Trusty HWE) vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-5669

Products affected by CVE-2017-5669

Exploit prediction scoring system (EPSS) score for CVE-2017-5669

CVSS scores for CVE-2017-5669

References for CVE-2017-5669