CVE-2017-7895
published 2017-04-28CVE-2017-7895: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to…
PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.81%
95.3th percentile
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 4.9.25-1 (bookworm) | linux 4.9.25-1 (bookworm) |
| linux | linux_kernel | < 3.2.89 | 3.2.89 |
| linux | linux_kernel | >= 0 < 4.9.25-1 | 4.9.25-1 |
| linux | linux_kernel | >= 0 < 4.9.25-1 | 4.9.25-1 |
| linux | linux_kernel | >= 0 < 4.9.25-1 | 4.9.25-1 |
| linux | linux_kernel | >= 0 < 4.9.25-1 | 4.9.25-1 |
| linux | linux_kernel | >= 0 < 3.13.0-125.174 | 3.13.0-125.174 |
| linux | linux_kernel | >= 0 < 4.4.0-79.100 | 4.4.0-79.100 |
| linux | linux_kernel | >= 3.17.0 < 4.1.40 | 4.1.40 |
| linux | linux_kernel | >= 3.3 < 3.16.44 | 3.16.44 |
| linux | linux_kernel | >= 4.10 < 4.10.14 | 4.10.14 |
| linux | linux_kernel | >= 4.2 < 4.4.67 | 4.4.67 |
| linux | linux_kernel | >= 4.5.0 < 4.9.26 | 4.9.26 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-07-21·CVSS 5.5
CVE-2014-9900 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly initialize a Wake-
on-Lan data structure. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2014-9900)
It was discovered that the Linux kernel did not properly restrict access to
/proc/iomem. A local attacker could use this to expose sensitive
information. (CVE-2015-8944)
It was discovered that a use-after-free vulnerability existed in the
performance events and counters subsystem of the Linux kernel for ARM64. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2015-8955)
It was discovered that the SCSI generic (sg) driver in the
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities
vendor_ubuntu·2017-07-21·CVSS 5.5
CVE-2014-9900 [MEDIUM] Linux kernel (Trusty HWE) vulnerabilities
Title: Linux kernel (Trusty HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3360-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.
It was discovered that the Linux kernel did not properly initialize a Wake-
on-Lan data structure. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2014-9900)
It was discovered that the Linux kernel did not properly restrict access to
/proc/iomem. A local attacker could use this to expose sensitive
information. (CVE-2015-8944)
It was discovered that a use-after-free vulnerability existed in the
performance events and counters s
Ubuntu
Linux kernel (HWE) vulnerabilities
vendor_ubuntu·2017-07-21·CVSS 5.5
CVE-2015-1350 [MEDIUM] Linux kernel (HWE) vulnerabilities
Title: Linux kernel (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please
note that this update changes the Linux HWE kernel to the 4.10 based
kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from
Ubuntu 16.10.
Ben Harris discovered that the Linux kernel would strip extended privilege
attributes of files when performing a failed unprivileged system call. A
local attacker could use this to cause a denial of service. (CVE-2015-1350)
Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel
did not properly validate
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-07-20·CVSS 5.5
CVE-2014-9900 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly initialize a Wake-
on-Lan data structure. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2014-9900)
Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet
discovered that the netfiler subsystem in the Linux kernel mishandled IPv6
packet reassembly. A local user could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2016-9755)
Alexander Potapenko discovered a race condition in the Advanced Linux Sound
Architecture (ALSA) subsystem in the Linux kernel. A local attacker could
use this to expose sensitive information (kernel memory).
(CVE-
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2017-06-07·CVSS 5.0
CVE-2016-7913 [MEDIUM] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3312-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that the netfilter netlink implementation in the Linux
kernel did not properly validate batch messages. A local attacker with the
CAP_NET_ADMIN capability could use this to expose sensitive information or
cause a denial of service. (CVE-2016-7917)
Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build()
function in the Linux kernel. A local attacker could use to cause a denial
of service (system crash) or possibly execute arbitra
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-06-07·CVSS 5.0
CVE-2016-7913 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the netfilter netlink implementation in the Linux
kernel did not properly validate batch messages. A local attacker with the
CAP_NET_ADMIN capability could use this to expose sensitive information or
cause a denial of service. (CVE-2016-7917)
Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build()
function in the Linux kernel. A local attacker could use to cause a denial
of service (system crash) or possibly execute arbitrary code with
administrative privileges. (CVE-2016-8632)
It was discovered that the keyring implementation in the Linux kernel in
some situations did not prevent special internal keyrings from being joined
by userspace keyrings
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-06-07·CVSS 4.4
CVE-2016-9604 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the keyring implementation in the Linux kernel in
some situations did not prevent special internal keyrings from being joined
by userspace keyrings. A privileged local attacker could use this to bypass
module verification. (CVE-2016-9604)
It was discovered that a buffer overflow existed in the trace subsystem in
the Linux kernel. A privileged local attacker could use this to execute
arbitrary code. (CVE-2017-0605)
Daniel Jiang discovered that a race condition existed in the ipv4 ping
socket implementation in the Linux kernel. A local privileged attacker
could use this to cause a denial of service (system crash). (CVE-2017-2671)
JongHwan Kim discovered an out-of-b
Red Hat
kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests
vendor_redhat·2017-04-28·CVSS 9.8
CVE-2017-7895 [CRITICAL] CWE-125 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests
kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
Statement: This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Li
Debian
CVE-2017-7895: linux - The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 l...
vendor_debian·2017·CVSS 9.8
CVE-2017-7895 [CRITICAL] CVE-2017-7895: linux - The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 l...
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
Scope: local
bookworm: resolved (fixed in 4.9.25-1)
bullseye: resolved (fixed in 4.9.25-1)
forky: resolved (fixed in 4.9.25-1)
sid: resolved (fixed in 4.9.25-1)
trixie: resolved (fixed in 4.9.25-1)
GHSA
GHSA-wj85-r27r-99vw: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4
ghsa_unreviewed·2022-05-13
CVE-2017-7895 [CRITICAL] CWE-119 GHSA-wj85-r27r-99vw: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
OSV
linux vulnerabilities
osv·2017-07-21·CVSS 5.5
CVE-2014-9900 [MEDIUM] linux vulnerabilities
linux vulnerabilities
It was discovered that the Linux kernel did not properly initialize a Wake-
on-Lan data structure. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2014-9900)
It was discovered that the Linux kernel did not properly restrict access to
/proc/iomem. A local attacker could use this to expose sensitive
information. (CVE-2015-8944)
It was discovered that a use-after-free vulnerability existed in the
performance events and counters subsystem of the Linux kernel for ARM64. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2015-8955)
It was discovered that the SCSI generic (sg) driver in the Linux kernel
contained a double-free vulnerability. A local attacker could use
OSV
linux-hwe vulnerabilities
osv·2017-07-21·CVSS 5.5
[MEDIUM] linux-hwe vulnerabilities
linux-hwe vulnerabilities
USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please
note that this update changes the Linux HWE kernel to the 4.10 based
kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from
Ubuntu 16.10.
Ben Harris discovered that the Linux kernel would strip extended privilege
attributes of files when performing a failed unprivileged system call. A
local attacker could use this to cause a denial of service. (CVE-2015-1350)
Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel
did not properly validate meta block groups. An attacker with physical
access could use this to specially cr
OSV
linux-lts-xenial vulnerabilities
osv·2017-06-07·CVSS 5.0
[MEDIUM] linux-lts-xenial vulnerabilities
linux-lts-xenial vulnerabilities
USN-3312-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that the netfilter netlink implementation in the Linux
kernel did not properly validate batch messages. A local attacker with the
CAP_NET_ADMIN capability could use this to expose sensitive information or
cause a denial of service. (CVE-2016-7917)
Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build()
function in the Linux kernel. A local attacker could use to cause a denial
of service (system crash) or possibly execute arbitrary code with
administrative privileges. (CVE-2016-8632)
It was discovered that th
OSV
linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
osv·2017-06-07·CVSS 5.0
CVE-2016-7917 [MEDIUM] linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
It was discovered that the netfilter netlink implementation in the Linux
kernel did not properly validate batch messages. A local attacker with the
CAP_NET_ADMIN capability could use this to expose sensitive information or
cause a denial of service. (CVE-2016-7917)
Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build()
function in the Linux kernel. A local attacker could use to cause a denial
of service (system crash) or possibly execute arbitrary code with
administrative privileges. (CVE-2016-8632)
It was discovered that the keyring implementation in the Linux kernel in
some situations did not prevent special internal keyrings from being joined
by userspace keyrings. A privileged local attac
OSV
CVE-2017-7895: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4
osv·2017-04-28·CVSS 9.8
CVE-2017-7895 [CRITICAL] CVE-2017-7895: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests [fedora-all]
bugzilla·2017-04-28·CVSS 9.8
CVE-2017-7895 [CRITICAL] CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests [fedora-all]
CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issu
Bugzilla
CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests
bugzilla·2017-04-27·CVSS 9.8
CVE-2017-7895 [CRITICAL] CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests
CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests
The NFSv3 server in the Linux kernel does not properly handle payload bounds checking of WRITE requests, which allows remote attackers to read up to about 1 MB - 4096 bytes of kernel memory to a file. Write access to a NFS mount is required.
References:
http://seclists.org/oss-sec/2017/q2/196
Upstream patch:
https://github.com/torvalds/linux/commit/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
Discussion:
Acknowledgments:
Name: Ari Kauppi
---
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1446541]
---
Statement:
This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2. Future kernel upd
arXiv
Towards Linux Kernel Memory Safety
arxiv_fulltext·2017-10-17
Towards Linux Kernel Memory Safety
0.5cm1cm
[1]
printacmref=false
plain
[C]
Towards Linux Kernel Memory Safety
Elena Reshetova
Intel OTC Finland
Espoo
Finland
[email protected]
Hans Liljestrand
Aalto University
Espoo
Finland
[email protected]
Andrew Paverd
Aalto University
Espoo
Finland
[email protected]
N.Asokan
Aalto University
Espoo
Finland
[email protected]
E. Reshetova et al.
Submission 44
Submission 44
CCSXML
10002978.10003006.10003007
Security and privacy Operating systems security
500
CCSXML
[500]Security and privacy Operating systems security
Linux kernel, memory safety
## Abstract
The security of billions of devices worldwide depends on the security and robustness of the mainline Linux kernel.
However, the increasing number of kernel-specific vulnerabilities, especiall
http://www.debian.org/security/2017/dsa-3886http://www.securityfocus.com/bid/98085https://access.redhat.com/errata/RHSA-2017:1615https://access.redhat.com/errata/RHSA-2017:1616https://access.redhat.com/errata/RHSA-2017:1647https://access.redhat.com/errata/RHSA-2017:1715https://access.redhat.com/errata/RHSA-2017:1723https://access.redhat.com/errata/RHSA-2017:1766https://access.redhat.com/errata/RHSA-2017:1798https://access.redhat.com/errata/RHSA-2017:2412https://access.redhat.com/errata/RHSA-2017:2428https://access.redhat.com/errata/RHSA-2017:2429https://access.redhat.com/errata/RHSA-2017:2472https://access.redhat.com/errata/RHSA-2017:2732https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=13bf9fbff0e5e099e2b6f003a0ab8ae145436309https://github.com/torvalds/linux/commit/13bf9fbff0e5e099e2b6f003a0ab8ae145436309http://www.debian.org/security/2017/dsa-3886http://www.securityfocus.com/bid/98085https://access.redhat.com/errata/RHSA-2017:1615https://access.redhat.com/errata/RHSA-2017:1616https://access.redhat.com/errata/RHSA-2017:1647https://access.redhat.com/errata/RHSA-2017:1715https://access.redhat.com/errata/RHSA-2017:1723https://access.redhat.com/errata/RHSA-2017:1766https://access.redhat.com/errata/RHSA-2017:1798https://access.redhat.com/errata/RHSA-2017:2412https://access.redhat.com/errata/RHSA-2017:2428https://access.redhat.com/errata/RHSA-2017:2429https://access.redhat.com/errata/RHSA-2017:2472https://access.redhat.com/errata/RHSA-2017:2732https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=13bf9fbff0e5e099e2b6f003a0ab8ae145436309https://github.com/torvalds/linux/commit/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
2017-04-28
Published