Date: Thu, 30 Mar 2017 09:17:45 -0500 From: Tyler Hicks <tyhicks@...onical.com> To: Lokesh Ubuntu <lokesh.ubuntu@...il.com>, oss-security@...ts.openwall.com Cc: security@...ntu.com Subject: Re: CVE-2017-7184: kernel: Local privilege escalation in XFRM framework A PoC is not publicly available for this issue. Tyler On 03/29/2017 10:18 PM, Lokesh Ubuntu wrote: > Is there any POC for this to conclude? Thanks. > > Regards, Lokesh > > On Mar 30, 2017 03:14, "Tyler Hicks" <tyhicks@...onical.com > <mailto:tyhicks@...onical.com>> wrote: > > A security issue was reported by ZDI, on behalf of Chaitin Security > Research Lab, against the Linux kernel in Ubuntu. It also affected the > upstream kernel. > > Chaitin Security Research Lab discovered that xfrm_replay_verify_len(), > as called by xfrm_new_ae(), did not verify that the user-specified > replay_window was within the replay state buffer. > > This allowed for out-of-bounds reads and writes of kernel memory. > Chaitin Security showed that this can lead to local privilege escalation > by using user namespaces in order to configure XFRM. XFRM configuration > requires CAP_NET_ADMIN so this issue is mitigated in kernels which do > not enable user namespaces by default. > > Fixes: > - > https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a <https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a> > - > https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df <https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df> > > Tyler > > [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ