CVE-2017-7308 : The packet_set_ring function in net/packet/af

The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.

Published 2017-03-29 20:59:00

Updated 2023-02-14 18:32:40

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory CorruptionDenial of service

Products affected by CVE-2017-7308

Linux » Linux Kernel
Versions from including (>=) 3.3 and before (<) 3.10.107
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.13 and before (<) 3.16.44
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.11 and before (<) 3.12.74
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.17 and before (<) 3.18.52
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.19 and before (<) 4.1.41
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.10 and before (<) 4.10.14
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.5 and before (<) 4.9.26
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.2 and before (<) 4.4.66
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 2.6.27 and before (<) 3.2.89
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2017-7308

Top countries where our scanners detected CVE-2017-7308

Top open port discovered on systems with this issue 49152

IPs affected by CVE-2017-7308 28,507

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2017-7308!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2017-7308

EPSS FAQ

86.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2017-7308

AF_PACKET packet_set_ring Privilege Escalation

Disclosure Date: 2017-03-29

First seen: 2020-04-26

exploit/linux/local/af_packet_packet_set_ring_priv_esc

This module exploits a heap-out-of-bounds write in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2017-7308). The bug was initially introduced in 2011 and patched in version 4.10.6, potenti

More information

CVSS scores for CVE-2017-7308

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-7308

CWE-681 Incorrect Conversion between Numeric Types

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Assigned by: nvd@nist.gov (Primary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-7308

https://access.redhat.com/errata/RHSA-2017:1308

RHSA-2017:1308 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:1854

RHSA-2018:1854 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html

Project Zero: Exploiting the Linux kernel via packet sockets
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1298

RHSA-2017:1298 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://patchwork.ozlabs.org/patch/744813/

[net,v2,2/3] net/packet: fix overflow in check for tp_frame_nr - Patchwork
Third Party Advisory
https://www.exploit-db.com/exploits/41994/

Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation
Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2017:1297

RHSA-2017:1297 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://patchwork.ozlabs.org/patch/744811/

[net,v2,1/3] net/packet: fix overflow in check for priv area size - Patchwork
Third Party Advisory
https://patchwork.ozlabs.org/patch/744812/

[net,v2,3/3] net/packet: fix overflow in check for tp_reserve - Patchwork
Third Party Advisory
https://www.exploit-db.com/exploits/44654/

Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/97234

Linux kernel CVE-2017-7308 Local Denial of Service Vulnerability
Third Party Advisory;VDB Entry
https://source.android.com/security/bulletin/2017-07-01

Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-7308