CVE-2016-4997

Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.

Las implementaciones de compat IPT_SO_SET_REPLACE y IP6T_SO_SET_REPLACE setsockopt en el subsistema netfilter en el kernel de Linux antes de 4.6.3 permiten a los usuarios locales obtener privilegios o provocar una denegación de servicio (corrupción de memoria) aprovechando el acceso del root en el contenedor para proporcionar un valor de compensación manipulado que desencadena una disminución no intencionada.

A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges.

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service or execute arbitrary code with administrative privileges. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-05-24 CVE Reserved
2016-06-27 CVE Published
2016-09-27 First Exploit
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation
CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (48)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2016/06/24/5	Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html	Third Party Advisory
http://www.securityfocus.com/bid/91451	Third Party Advisory
http://www.securitytracker.com/id/1036171	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05347541	Third Party Advisory
https://www.openwall.com/lists/oss-security/2016/06/24/5
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91

URL	Date	SRC
https://packetstorm.news/files/id/139880	2016-11-23
https://packetstorm.news/files/id/138854	2016-09-27
https://www.exploit-db.com/exploits/40489	2024-08-06
https://www.exploit-db.com/exploits/40435	2024-08-06
http://www.openwall.com/lists/oss-security/2016/09/29/10	2024-08-06
https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt	2024-08-06

URL	Date	SRC
https://github.com/torvalds/linux/commit/ce683e5f9d045e5d67d1312a42b359cb2ab2a13c	2023-09-12

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c	2016-06-03
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00060.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00061.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00027.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00048.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00050.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00051.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00052.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00053.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00054.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html	2023-09-12
http://rhn.redhat.com/errata/RHSA-2016-1847.html	2023-09-12
http://rhn.redhat.com/errata/RHSA-2016-1875.html	2023-09-12
http://rhn.redhat.com/errata/RHSA-2016-1883.html	2023-09-12
http://www.debian.org/security/2016/dsa-3607	2023-09-12
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.3	2023-09-12
http://www.ubuntu.com/usn/USN-3016-1	2023-09-12
http://www.ubuntu.com/usn/USN-3016-2	2023-09-12
http://www.ubuntu.com/usn/USN-3016-3	2023-09-12
http://www.ubuntu.com/usn/USN-3016-4	2023-09-12
http://www.ubuntu.com/usn/USN-3017-1	2023-09-12
http://www.ubuntu.com/usn/USN-3017-2	2023-09-12
http://www.ubuntu.com/usn/USN-3017-3	2023-09-12
http://www.ubuntu.com/usn/USN-3018-1	2023-09-12
http://www.ubuntu.com/usn/USN-3018-2	2023-09-12
http://www.ubuntu.com/usn/USN-3019-1	2023-09-12
http://www.ubuntu.com/usn/USN-3020-1	2023-09-12
https://bugzilla.redhat.com/show_bug.cgi?id=1349722	2016-09-14
https://access.redhat.com/security/cve/CVE-2016-4997	2016-09-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.17 < 3.2.80 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.17 < 3.2.80"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.3 < 3.10.103 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.103"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.11 < 3.12.62 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.62"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 3.14.73 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.73"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.15 < 3.16.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.16.37"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.17 < 3.18.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.37"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 4.1.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.28"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 4.4.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.4.14"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.5 < 4.6.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.6.3"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Software Development Kit Search vendor "Novell" for product "Suse Linux Enterprise Software Development Kit"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Software Development Kit" and version "12.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Software Development Kit Search vendor "Novell" for product "Suse Linux Enterprise Software Development Kit"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Software Development Kit" and version "12.0"		sp1		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Desktop Search vendor "Novell" for product "Suse Linux Enterprise Desktop"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Desktop" and version "12.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Desktop Search vendor "Novell" for product "Suse Linux Enterprise Desktop"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Desktop" and version "12.0"		sp1		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Live Patching Search vendor "Novell" for product "Suse Linux Enterprise Live Patching"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Live Patching" and version "12.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Module For Public Cloud Search vendor "Novell" for product "Suse Linux Enterprise Module For Public Cloud"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Module For Public Cloud" and version "12.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Real Time Extension Search vendor "Novell" for product "Suse Linux Enterprise Real Time Extension"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Real Time Extension" and version "12.0"		sp1		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Server Search vendor "Novell" for product "Suse Linux Enterprise Server"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Server" and version "12.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Server Search vendor "Novell" for product "Suse Linux Enterprise Server"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Server" and version "12.0"		sp1		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Workstation Extension Search vendor "Novell" for product "Suse Linux Enterprise Workstation Extension"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Workstation Extension" and version "12.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Workstation Extension Search vendor "Novell" for product "Suse Linux Enterprise Workstation Extension"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Workstation Extension" and version "12.0"		sp1		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				7 Search vendor "Oracle" for product "Linux" and version "7"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected