CVE-2017-1000111

moderate-risk

Published 2017-10-05

Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (19)

Linux Kernel

Enterprise Linux

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Workstation

Debian Linux

Enterprise Linux

Enterprise Linux Desktop

Enterprise Linux Server Eus

Enterprise Linux Server Tus

Affected Vendors

Linux Debian Redhat

References (16)

Third Party Advisory http://www.debian.org/security/2017/dsa-3981

Third Party Advisory http://www.securityfocus.com/bid/100267

Third Party Advisory http://www.securitytracker.com/id/1039132

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2918

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2930

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2931

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:3200

Third Party Advisory https://access.redhat.com/security/cve/cve-2017-1000111

Third Party Advisory http://www.debian.org/security/2017/dsa-3981

Third Party Advisory http://www.securityfocus.com/bid/100267

Third Party Advisory http://www.securitytracker.com/id/1039132

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2918

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2930

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2931

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:3200

Third Party Advisory https://access.redhat.com/security/cve/cve-2017-1000111

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 19/34 · Moderate