CVE-2017-15649
published 2017-10-19CVE-2017-15649: net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of…
PriorityP350high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.97%
57.5th percentile
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.13.10-1 (bookworm) | linux 4.13.10-1 (bookworm) |
| linux | linux_kernel | <= 4.13.5 | — |
| linux | linux_kernel | >= 0 < 4.13.10-1 | 4.13.10-1 |
| linux | linux_kernel | >= 0 < 4.13.10-1 | 4.13.10-1 |
| linux | linux_kernel | >= 0 < 4.13.10-1 | 4.13.10-1 |
| linux | linux_kernel | >= 0 < 4.13.10-1 | 4.13.10-1 |
| linux | linux_kernel | >= 0 < 3.13.0-157.207 | 3.13.0-157.207 |
| linux | linux_kernel | >= 0 < 4.4.0-101.124 | 4.4.0-101.124 |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wjx2-qc46-g62h: net/packet/af_packet
ghsa_unreviewed·2022-05-14·CVSS 7.0
CVE-2017-15649 [HIGH] CWE-362 GHSA-wjx2-qc46-g62h: net/packet/af_packet
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.
OSV
linux vulnerabilities
osv·2018-08-24·CVSS 4.3
CVE-2016-10208 [MEDIUM] linux vulnerabilities
linux vulnerabilities
Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel
did not properly validate meta block groups. An attacker with physical
access could use this to specially craft an ext4 image that causes a denial
of service (system crash). (CVE-2016-10208)
It was discovered that an information disclosure vulnerability existed in
the ACPI implementation of the Linux kernel. A local attacker could use
this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)
It was discovered that a buffer overflow existed in the ACPI table parsing
implementation in the Linux kernel. A local attacker could use this to
construct a malicious ACPI table that, when loaded, caused a denial of
service (system crash) or possibly execute arbitrary code.
(CVE-
OSV
linux-aws vulnerabilities
osv·2017-11-21·CVSS 7.0
CVE-2017-15265 [HIGH] linux-aws vulnerabilities
linux-aws vulnerabilities
It was discovered that a race condition existed in the ALSA subsystem of
the Linux kernel when creating and deleting a port via ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-15265)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)
It was discovered that a race condition existed in the packet fanout
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code.
OSV
linux-lts-xenial vulnerabilities
osv·2017-11-21·CVSS 7.0
[HIGH] linux-lts-xenial vulnerabilities
linux-lts-xenial vulnerabilities
USN-3485-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that a race condition existed in the ALSA subsystem of
the Linux kernel when creating and deleting a port via ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-15265)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-152
OSV
linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
osv·2017-11-21·CVSS 7.0
CVE-2017-15265 [HIGH] linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
It was discovered that a race condition existed in the ALSA subsystem of
the Linux kernel when creating and deleting a port via ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-15265)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)
It was discovered that a race condition existed in the packet fanout
implementation in the Linux kernel. A local attacker could use this to
cause a denial
OSV
CVE-2017-15649: net/packet/af_packet
osv·2017-10-19·CVSS 7.8
CVE-2017-15649 [HIGH] CVE-2017-15649: net/packet/af_packet
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2018-08-24·CVSS 4.3
CVE-2016-10208 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel
did not properly validate meta block groups. An attacker with physical
access could use this to specially craft an ext4 image that causes a denial
of service (system crash). (CVE-2016-10208)
It was discovered that an information disclosure vulnerability existed in
the ACPI implementation of the Linux kernel. A local attacker could use
this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)
It was discovered that a buffer overflow existed in the ACPI table parsing
implementation in the Linux kernel. A local attacker could use this to
construct a malicious ACPI table that, when loaded, cau
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-11-21·CVSS 5.5
CVE-2017-1000255 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the KVM subsystem in the Linux kernel did not
properly keep track of nested levels in guest page tables. A local attacker
in a guest VM could use this to cause a denial of service (host OS crash)
or possibly execute arbitrary code in the host OS. (CVE-2017-12188)
It was discovered that on the PowerPC architecture, the kernel did not
properly sanitize the signal stack when handling sigreturn(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-1000255)
Bo Zhang discovered that the netlink wireless configuration interface in
the Linux kernel did not properly validate attributes when handling cer
Ubuntu
Linux kernel (AWS) vulnerabilities
vendor_ubuntu·2017-11-21·CVSS 7.0
CVE-2017-15265 [HIGH] Linux kernel (AWS) vulnerabilities
Title: Linux kernel (AWS) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition existed in the ALSA subsystem of
the Linux kernel when creating and deleting a port via ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-15265)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)
It was discovered that a race condition existed in the packet fanout
implementation in the Linux kernel. A local attacker could use th
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-11-21·CVSS 7.0
CVE-2017-15265 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition existed in the ALSA subsystem of
the Linux kernel when creating and deleting a port via ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-15265)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)
It was discovered that a race condition existed in the packet fanout
implementation in the Linux kernel. A local attacker could use this to
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2017-11-21·CVSS 7.0
CVE-2017-15265 [HIGH] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3485-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that a race condition existed in the ALSA subsystem of
the Linux kernel when creating and deleting a port via ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-15265)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a
Red Hat
kernel: Use-after-free in the af_packet.c
vendor_redhat·2017-09-20·CVSS 7.8
CVE-2017-15649 [HIGH] CWE-416 kernel: Use-after-free in the af_packet.c
kernel: Use-after-free in the af_packet.c
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.
It was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterpris
Debian
CVE-2017-15649: linux - net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to g...
vendor_debian·2017·CVSS 7.8
CVE-2017-15649 [HIGH] CVE-2017-15649: linux - net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to g...
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.
Scope: local
bookworm: resolved (fixed in 4.13.10-1)
bullseye: resolved (fixed in 4.13.10-1)
forky: resolved (fixed in 4.13.10-1)
sid: resolved (fixed in 4.13.10-1)
trixie: resolved (fixed in 4.13.10-1)
No detection rules found.
Bugzilla
CVE-2017-15649 kernel: Use-after-free in the af_packet.c [fedora-all]
bugzilla·2017-10-23·CVSS 7.8
CVE-2017-15649 [HIGH] CVE-2017-15649 kernel: Use-after-free in the af_packet.c [fedora-all]
CVE-2017-15649 kernel: Use-after-free in the af_packet.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedo
Bugzilla
CVE-2017-15649 kernel: Use-after-free in the af_packet.c
bugzilla·2017-10-20·CVSS 7.8
CVE-2017-15649 [HIGH] CVE-2017-15649 kernel: Use-after-free in the af_packet.c
CVE-2017-15649 kernel: Use-after-free in the af_packet.c
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.
Upstream patches:
https://github.com/torvalds/linux/commit/008ba2a13f2d04c947adc536d19debb8fe66f110
https://github.com/torvalds/linux/commit/4971613c1639d8e5f102c4e797c3bf8f83a5a69e
https://github.com/torvalds/linux/commit/2bd624b4611ffee36422782d16e1c944d1351e98
References:
https://blogs.securiteam.com/index.php/archives/3484
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [b
arXiv
Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation
arxiv_fulltext·2024-11-09
Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation
empty
### Abstract
Recently, a novel method known as Page Spray emerges, focusing on page-level exploitation for kernel vulnerabilities. Despite the advantages it offers in terms of exploitability, stability, and compatibility, comprehensive research on Page Spray remains scarce. Questions regarding its root causes, exploitation model, comparative benefits over other exploitation techniques, and possible mitigation strategies have largely remained unanswered. In this paper, we conduct a systematic investigation into Page Spray, providing an in-depth understanding of this exploitation technique. We introduce a comprehensive exploit model termed the model, elucidating its fundamental principles. Additionally, we conduct a thorough analysis of the root causes underlying Page Spray occurrenc
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=008ba2a13f2d04c947adc536d19debb8fe66f110http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4971613c1639d8e5f102c4e797c3bf8f83a5a69ehttp://patchwork.ozlabs.org/patch/813945/http://patchwork.ozlabs.org/patch/818726/http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6http://www.securityfocus.com/bid/101573https://access.redhat.com/errata/RHSA-2018:0151https://access.redhat.com/errata/RHSA-2018:0152https://access.redhat.com/errata/RHSA-2018:0181https://blogs.securiteam.com/index.php/archives/3484https://github.com/torvalds/linux/commit/008ba2a13f2d04c947adc536d19debb8fe66f110https://github.com/torvalds/linux/commit/4971613c1639d8e5f102c4e797c3bf8f83a5a69ehttps://lists.debian.org/debian-lts-announce/2017/12/msg00004.htmlhttps://usn.ubuntu.com/3754-1/http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=008ba2a13f2d04c947adc536d19debb8fe66f110http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4971613c1639d8e5f102c4e797c3bf8f83a5a69ehttp://patchwork.ozlabs.org/patch/813945/http://patchwork.ozlabs.org/patch/818726/http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6http://www.securityfocus.com/bid/101573https://access.redhat.com/errata/RHSA-2018:0151https://access.redhat.com/errata/RHSA-2018:0152https://access.redhat.com/errata/RHSA-2018:0181https://blogs.securiteam.com/index.php/archives/3484https://github.com/torvalds/linux/commit/008ba2a13f2d04c947adc536d19debb8fe66f110https://github.com/torvalds/linux/commit/4971613c1639d8e5f102c4e797c3bf8f83a5a69ehttps://lists.debian.org/debian-lts-announce/2017/12/msg00004.htmlhttps://usn.ubuntu.com/3754-1/
2017-10-19
Published