CVE-2017-1000366
high-risk
Published 2017-06-19
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
Do I need to act?
~
7.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10
High
LOCAL
/ LOW complexity
Affected Products (20)
References (40)
Third Party Advisory
http://www.debian.org/security/2017/dsa-3887
Third Party Advisory
http://www.securityfocus.com/bid/99127
Third Party Advisory
http://www.securitytracker.com/id/1038712
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1479
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1480
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1481
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1567
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1712
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2017-1000366
Third Party Advisory
https://security.gentoo.org/glsa/201706-19
Third Party Advisory
https://www.exploit-db.com/exploits/42274/
Third Party Advisory
https://www.exploit-db.com/exploits/42275/
Third Party Advisory
https://www.exploit-db.com/exploits/42276/
Technical Description
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Third Party Advisory
https://www.suse.com/security/cve/CVE-2017-1000366/
Third Party Advisory
https://www.suse.com/support/kb/doc/?id=7020973
and 20 more references
67
/ 100
high-risk
Severity
24/34 · High
Exploitability
17/34 · Moderate
Exposure
26/34 · High