cbcvebase.
CVE-2017-7397
published 2017-04-03

CVE-2017-7397: BackBox Linux 4.6 allows remote attackers to cause a denial of service (ksoftirqd CPU consumption) via a flood of packets with Martian source IP addresses (as…

PriorityP347high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
11.07%
95.4th percentile
BackBox Linux 4.6 allows remote attackers to cause a denial of service (ksoftirqd CPU consumption) via a flood of packets with Martian source IP addresses (as defined in RFC 1812 section 5.3.7). This product enables net.ipv4.conf.all.log_martians by default. NOTE: the vendor reports "It has been proved that this vulnerability has no foundation and it is totally fake and based on false assumptions.

Affected

1 ranges
VendorProductVersion rangeFixed in
backboxbackbox_linux

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://www.exploit-db.com/exploits/41781
otherip_tos=0x08 in crafted raw IP header
  • Detect high-rate flood of packets with randomised/spoofed (Martian) source IP addresses targeting a single destination host, causing ksoftirqd CPU exhaustion on systems with net.ipv4.conf.all.log_martians enabled.
  • The exploit sends raw packets (AF_INET/SOCK_RAW/IPPROTO_RAW) with fully randomised source IPs (random() used for ip_src when no class specified), TTL=255, and TOS=0x08. Monitor for raw socket creation combined with high packet rates from rapidly changing source IPs.
  • ICMP flood loop sends up to 1000 packets per iteration without delay. Detect bursts of ICMP ECHO packets (icmp_type=ICMP_ECHO, icmp_code=0) with spoofed sources and fixed checksum pattern (icmp_cksum = htons(~(ICMP_ECHO << 8))).

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.