{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-03-15T00:00:00", "descriptions": [{"lang": "en", "value": "The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-10T15:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.trendmicro.com/results-pwn2own-2017-day-one/"}, {"name": "RHSA-2017:2918", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2918"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a"}, {"name": "RHSA-2017:2931", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2931"}, {"name": "97018", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97018"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://source.android.com/security/bulletin/2017-05-01"}, {"name": "1038166", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038166"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/torvalds/linux/commit/f843ee6dd019bcece3e74e76ad9df0155655d0df"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df"}, {"tags": ["x_refsource_MISC"], "url": "http://www.eweek.com/security/ubuntu-linux-falls-on-day-1-of-pwn2own-hacking-competition"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/torvalds/linux/commit/677e806da4d916052585301785d847c3b3e6186a"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/thezdi/status/842126074435665920"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://openwall.com/lists/oss-security/2017/03/29/2"}, {"name": "RHSA-2017:2930", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2930"}, {"name": "RHSA-2019:4159", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:4159"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-7184", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.trendmicro.com/results-pwn2own-2017-day-one/", "refsource": "MISC", "url": "https://blog.trendmicro.com/results-pwn2own-2017-day-one/"}, {"name": "RHSA-2017:2918", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2918"}, {"name": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a", "refsource": "CONFIRM", "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a"}, {"name": "RHSA-2017:2931", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2931"}, {"name": "97018", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97018"}, {"name": "https://source.android.com/security/bulletin/2017-05-01", "refsource": "CONFIRM", "url": "https://source.android.com/security/bulletin/2017-05-01"}, {"name": "1038166", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038166"}, {"name": "https://github.com/torvalds/linux/commit/f843ee6dd019bcece3e74e76ad9df0155655d0df", "refsource": "CONFIRM", "url": "https://github.com/torvalds/linux/commit/f843ee6dd019bcece3e74e76ad9df0155655d0df"}, {"name": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df", "refsource": "CONFIRM", "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df"}, {"name": "http://www.eweek.com/security/ubuntu-linux-falls-on-day-1-of-pwn2own-hacking-competition", "refsource": "MISC", "url": "http://www.eweek.com/security/ubuntu-linux-falls-on-day-1-of-pwn2own-hacking-competition"}, {"name": "https://github.com/torvalds/linux/commit/677e806da4d916052585301785d847c3b3e6186a", "refsource": "CONFIRM", "url": "https://github.com/torvalds/linux/commit/677e806da4d916052585301785d847c3b3e6186a"}, {"name": "https://twitter.com/thezdi/status/842126074435665920", "refsource": "MISC", "url": "https://twitter.com/thezdi/status/842126074435665920"}, {"name": "http://openwall.com/lists/oss-security/2017/03/29/2", "refsource": "CONFIRM", "url": "http://openwall.com/lists/oss-security/2017/03/29/2"}, {"name": "RHSA-2017:2930", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2930"}, {"name": "RHSA-2019:4159", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:4159"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:56:35.949Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.trendmicro.com/results-pwn2own-2017-day-one/"}, {"name": "RHSA-2017:2918", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2918"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a"}, {"name": "RHSA-2017:2931", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2931"}, {"name": "97018", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/97018"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://source.android.com/security/bulletin/2017-05-01"}, {"name": "1038166", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1038166"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/torvalds/linux/commit/f843ee6dd019bcece3e74e76ad9df0155655d0df"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.eweek.com/security/ubuntu-linux-falls-on-day-1-of-pwn2own-hacking-competition"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/torvalds/linux/commit/677e806da4d916052585301785d847c3b3e6186a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/thezdi/status/842126074435665920"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2017/03/29/2"}, {"name": "RHSA-2017:2930", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2930"}, {"name": "RHSA-2019:4159", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:4159"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-7184", "datePublished": "2017-03-19T18:00:00", "dateReserved": "2017-03-19T00:00:00", "dateUpdated": "2024-08-05T15:56:35.949Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:4.8:*:*:*:*:*:*:*", "matchCriteriaId": "4E12A4EF-B3CF-432B-B9FF-AEF80A5C6906", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*", "matchCriteriaId": "1AFB20FA-CB00-4729-AB3A-816454C6D096", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A5C1F01-214B-4477-A3A1-F6DF10181D3C", "versionEndExcluding": "3.2.89", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3116EF11-56E7-4D40-9FD0-6109280D0247", "versionEndExcluding": "3.10.106", "versionStartIncluding": "3.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1656D223-4848-48AD-825C-23B10AE1D8BC", "versionEndExcluding": "3.12.73", "versionStartIncluding": "3.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "50A4478F-EC43-46DF-AE23-9298AE3F8892", "versionEndExcluding": "3.16.44", "versionStartIncluding": "3.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AA77834-089F-4556-A00B-CAC1E08444BF", "versionEndExcluding": "3.18.49", "versionStartIncluding": "3.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3C1F309-D954-4BB7-AC02-30FC58BE76F9", "versionEndExcluding": "4.1.49", "versionStartIncluding": "3.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "86ECD7D8-40A9-4227-B77D-867268FFDEAC", "versionEndExcluding": "4.4.59", "versionStartIncluding": "4.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D092A759-EAC4-4DDC-A3AF-7BECC8D32811", "versionEndExcluding": "4.9.20", "versionStartIncluding": "4.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC107011-8D8F-4EC7-B7E4-867BC4E35A48", "versionEndExcluding": "4.10.8", "versionStartIncluding": "4.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52."}, {"lang": "es", "value": "La funci\u00f3n xfrm_replay_verify_len en net/xfrm/xfrm_user.c en el kernel de Linux hasta la versi\u00f3n 4.10.6 no valida ciertos datos de tama\u00f1o despu\u00e9s de una actualizaci\u00f3n XFRM_MSG_NEWAE, lo que permite a usuarios locales obtener privilegios de root o provocar una denegaci\u00f3n de servicio (acceso fuera de l\u00edmites basado en memoria din\u00e1mica) aprovechando la capacidad CAP_NET_ADMIN, como se demostr\u00f3 durante una competici\u00f3n Pwn2Own en CanSecWest 2017 para el paquete Ubuntu 16.10 linux-image-* 4.8.0.41.52."}], "id": "CVE-2017-7184", "lastModified": "2023-02-10T00:53:24.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-19T18:59:00.193", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://openwall.com/lists/oss-security/2017/03/29/2"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "http://www.eweek.com/security/ubuntu-linux-falls-on-day-1-of-pwn2own-hacking-competition"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97018"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1038166"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2918"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2930"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2931"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:4159"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://blog.trendmicro.com/results-pwn2own-2017-day-one/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/torvalds/linux/commit/677e806da4d916052585301785d847c3b3e6186a"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/torvalds/linux/commit/f843ee6dd019bcece3e74e76ad9df0155655d0df"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://source.android.com/security/bulletin/2017-05-01"}, {"source": "cve@mitre.org", "tags": ["Press/Media Coverage", "Third Party Advisory"], "url": "https://twitter.com/thezdi/status/842126074435665920"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Chaitin Security Research Lab for reporting this issue.", "affected_release": [{"advisory": "RHSA-2017:2931", "cpe": "cpe:/a:redhat:rhel_extras_rt:7", "package": "kernel-rt-0:3.10.0-693.5.2.rt56.626.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-10-19T00:00:00Z"}, {"advisory": "RHSA-2017:2930", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kernel-0:3.10.0-693.5.2.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-10-19T00:00:00Z"}, {"advisory": "RHSA-2019:4159", "cpe": "cpe:/o:redhat:rhel_aus:7.3", "package": "kernel-0:3.10.0-514.71.1.el7", "product_name": "Red Hat Enterprise Linux 7.3 Advanced Update Support", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2019:4159", "cpe": "cpe:/o:redhat:rhel_tus:7.3", "package": "kernel-0:3.10.0-514.71.1.el7", "product_name": "Red Hat Enterprise Linux 7.3 Telco Extended Update Support", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2019:4159", "cpe": "cpe:/o:redhat:rhel_e4s:7.3", "package": "kernel-0:3.10.0-514.71.1.el7", "product_name": "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions", "release_date": "2019-12-10T00:00:00Z"}, {"advisory": "RHSA-2017:2918", "cpe": "cpe:/a:redhat:enterprise_mrg:2:server:el6", "package": "kernel-rt-1:3.10.0-693.5.2.rt56.592.el6rt", "product_name": "Red Hat Enterprise MRG 2", "release_date": "2017-10-19T00:00:00Z"}], "bugzilla": {"description": "kernel: Out-of-bounds heap access in xfrm", "id": "1435153", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1435153"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-122", "details": ["The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.", "Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation."], "name": "CVE-2017-7184", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2017-03-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-7184\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7184"], "statement": "This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 as the code with the flaw is not present in the products listed.\nThis issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. In a default or common use of Red Hat Enterprise Linux 7 and MRG-2 this issue does not allow an unprivileged local or remote user to elevate their privileges on the system.\nIn order to exploit this issue the attacker needs CAP_NET_ADMIN capability, which needs to be granted especially by the administrator to the attacker's process. This in turn requires granting CAP_NET_ADMIN capability to the process' binary and/or attacker's account.\nAnother possibility to obtain CAP_NET_ADMIN capability in Red Hat Enterprise Linux 7 for an attacker is running a process inside a user+network namespace with mapped root privileges inside the namespace. Since Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local or remote unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.\nGiven the severity of this issue, future Linux kernel updates for the Red Hat Enterprise Linux 7 and MRG-2 products are planned to address it.", "threat_severity": "Important"}