Vulnerability Details : CVE-2017-16995
Public exploit exists!
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
Vulnerability category: OverflowMemory CorruptionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2017-16995
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 15 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2017-16995
-
Linux BPF Sign Extension Local Privilege Escalation
Disclosure Date: 2017-11-12First seen: 2020-04-26exploit/linux/local/bpf_sign_extension_priv_escLinux kernel prior to 4.14.8 contains a vulnerability in the Berkeley Packet Filter (BPF) verifier. The `check_alu_op` function performs incorrect sign extension which allows the verifier to be bypassed, leading to arbitrary kernel read/write. The
CVSS scores for CVE-2017-16995
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2017-16995
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-16995
-
http://openwall.com/lists/oss-security/2017/12/21/2
oss-security - Linux >=4.9: eBPF memory corruption bugsMailing List;Third Party Advisory
-
https://www.exploit-db.com/exploits/45010/
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege EscalationThird Party Advisory;VDB Entry
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f
kernel/git/torvalds/linux.git - Linux kernel source treeVendor Advisory
-
https://github.com/torvalds/linux/commit/95a762e2c8c942780948091f8f2a4f32fce1ac6f
bpf: fix incorrect sign extension in check_alu_op() · torvalds/linux@95a762e · GitHubThird Party Advisory
-
https://usn.ubuntu.com/3633-1/
USN-3633-1: Linux kernel (Intel Euclid) vulnerability | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/3619-1/
USN-3619-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/3619-2/
USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.exploit-db.com/exploits/44298/
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege EscalationThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/45058/
Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)Third Party Advisory;VDB Entry
-
https://usn.ubuntu.com/usn/usn-3523-2/
USN-3523-2: Linux kernel (HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
1454 - arbitrary read+write via incorrect range tracking in eBPF - project-zero - MonorailThird Party Advisory
-
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=a6132276ab5dcc38b3299082efeb25b948263adb
kernel/git/tip/tip.git - Unnamed repository; edit this file 'description' to name the repository.Vendor Advisory
-
https://www.debian.org/security/2017/dsa-4073
Debian -- Security Information -- DSA-4073-1 linuxThird Party Advisory
-
http://www.securityfocus.com/bid/102288
Linux Kernel CVE-2017-16995 Local Memory Corruption VulnerabilityThird Party Advisory;VDB Entry
Products affected by CVE-2017-16995
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*