cbcvebase.
CVE-2017-7308
published 2017-03-29

CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows…

PriorityP260high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.83%
96.8th percentile
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 4.9.18-1 (bookworm)linux 4.9.18-1 (bookworm)
googleandroid
linuxlinux_kernel>= 0 < 4.9.18-14.9.18-1
linuxlinux_kernel>= 0 < 4.9.18-14.9.18-1
linuxlinux_kernel>= 0 < 4.9.18-14.9.18-1
linuxlinux_kernel>= 0 < 4.9.18-14.9.18-1
linuxlinux_kernel>= 2.6.27 < 3.2.893.2.89
linuxlinux_kernel>= 3.11 < 3.12.743.12.74
linuxlinux_kernel>= 3.13 < 3.16.443.16.44
linuxlinux_kernel>= 3.17 < 3.18.523.18.52
linuxlinux_kernel>= 3.19 < 4.1.414.1.41
linuxlinux_kernel>= 3.3 < 3.10.1073.10.107
linuxlinux_kernel>= 4.10 < 4.10.144.10.14
linuxlinux_kernel>= 4.2 < 4.4.664.4.66
linuxlinux_kernel>= 4.5 < 4.9.264.9.26

Detection & IOCsextracted from sources · hover to see the quote

pathnet/packet/af_packet.c
commandsetsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v))
otherTPACKET_V3
otherTIMER_OFFSET=896
otherXMIT_OFFSET=1304
otherCR4_DESIRED_VALUE=0x406e0
otherKERNEL_BASE=0xffffffff81000000
  • Alert on unprivileged processes creating AF_PACKET SOCK_RAW sockets, which requires CAP_NET_RAW — obtainable via unprivileged user namespaces when CONFIG_USER_NS=y is enabled.
  • Monitor for KASLR bypass attempts via /proc/kallsyms reads or klogctl(SYSLOG_ACTION_READ_ALL) from unprivileged processes, which are used by the exploit to locate the kernel base address.
  • Detect exploitation attempts targeting Linux Mint 18 / Ubuntu Xenial kernel versions 4.8.0-34 through 4.8.0-45 (generic), which are the confirmed vulnerable targets for this exploit.
  • Alert on processes attempting to disable SMEP/SMAP by calling native_write_cr4 with CR4 value 0x406e0 (SMEP off) or 0x407f0 (SMAP off), a key step in this exploit's privilege escalation chain.
  • Monitor for the exploit's heap spray pattern: large numbers of kmalloc (512 pad) and page allocations (1024 pad) from a single process prior to socket operations, indicating heap grooming for the out-of-bounds write.
  • The exploit requires two or more CPU cores; single-core systems are not exploitable. Enforce Seccomp policies blocking socket(AF_PACKET, SOCK_RAW, ...) syscalls for containers/unprivileged processes to mitigate.
  • CVE-2017-7308 exploit confirmed blocked by ARM Pointer Authentication (PA)-based CFI via typesig enforcement; original exploits were simply prevented by typesig.
  • ·The vulnerability is only triggerable when CONFIG_PACKET=y and CONFIG_USER_NS=y are both set in the kernel configuration, and unprivileged user namespaces are accessible. Ubuntu and Linux Mint satisfy these conditions by default.
  • ·The exploit targets Ubuntu Xenial kernels 4.8.0 < 4.8.0-46 specifically; the bug was patched in kernel version 4.10.6. Systems already on 4.8.0-46+ or 4.10.6+ are not affected by this specific exploit.
  • ·Failed exploitation may crash the kernel (kernel panic/DoS), so detection of failed attempts should also include unexpected kernel oops/panics on affected kernel versions.
  • ·Seccomp policies blocking the socket syscall with AF_PACKET domain can mitigate CVE-2017-7308; this CVE is cited as an example of privilege escalation achievable from containers when syscalls are not restricted.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.