CVE-2017-1000410

kernel: Stack information leak in the EFS element

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes).

El kernel de Linux en su versión 3.3-rc1 y siguientes se ha visto afectado por una vulnerabilidad en el procesamiento de comandos L2CAP entrantes - ConfigRequest y mensajes ConfigResponse. Este filtrado de información es el resultado de variables de la pila sin inicializar que podrían ser devueltas a un atacante en su estado no inicializado. Al manipular los flujos de código que preceden la gestión de estos mensajes de configuración, un atacante también podría obtener algún tipo de control sobre qué datos se mantendrán en las variables de pila sin inicializar. Esto también puede permitirle omitir KASLR y la protección de valores controlados de pila, ya que tanto los punteros como los valores controlados de pila podrían haberse filtrado de esta forma. La combinación de esta vulnerabilidad, por ejemplo, con la vulnerabilidad RCE previamente revelada en el análisis sintáctico de la configuración L2CAP (CVE-2017-1000251) podría permitir que un atacante explote el RCE contra kernels construidos con las mitigaciones anteriores. Estos son los detalles de esta vulnerabilidad: En las funciones l2cap_parse_conf_rsp y l2cap_parse_conf_req, la siguiente variable se declara sin inicialización: struct l2cap_conf_efs efs. Además, al analizar sintácticamente los parámetros de configuración de entradas en ambas funciones, el switch case para manipular elementos EFS podría omitir la llamada memcpy que escribirá en la variable efs: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(efs, (void *)val, olen); ... El olen en el if anterior está controlado por el atacante e, independientemente de ese if, en ambas funciones la variable efs se añadiría finalmente a la petición saliente de configuración que se está construyendo: l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) efs). Por lo tanto, al enviar una petición de configuración o una respuesta que contenga un elemento L2CAP_CONF_EFS, pero con una longitud de elemento que no es sizeof(efs), el memcpy en la variable efs no inicializada puede omitirse y la variable no inicializada se devolvería al atacante (16 bytes).

A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-12-07 CVE Reserved
2017-12-07 CVE Published
2024-03-12 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (15)

URL	Tag	Source
http://www.securityfocus.com/bid/102101	Issue Tracking
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://seclists.org/oss-sec/2017/q4/357	2019-04-08

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:0654	2019-04-08
https://access.redhat.com/errata/RHSA-2018:0676	2019-04-08
https://access.redhat.com/errata/RHSA-2018:1062	2019-04-08
https://access.redhat.com/errata/RHSA-2018:1130	2019-04-08
https://access.redhat.com/errata/RHSA-2018:1170	2019-04-08
https://access.redhat.com/errata/RHSA-2018:1319	2019-04-08
https://usn.ubuntu.com/3933-1	2019-04-08
https://usn.ubuntu.com/3933-2	2019-04-08
https://www.debian.org/security/2017/dsa-4073	2019-04-08
https://www.debian.org/security/2018/dsa-4082	2019-04-08
https://access.redhat.com/security/cve/CVE-2017-1000410	2018-05-08
https://bugzilla.redhat.com/show_bug.cgi?id=1519160	2018-05-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				> 3.2 < 4.15 Search vendor "Linux" for product "Linux Kernel" and version " > 3.2 < 4.15"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc1		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc2		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc3		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc4		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc5		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc6		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc7		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Virtualization Host Search vendor "Redhat" for product "Virtualization Host"				4.0 Search vendor "Redhat" for product "Virtualization Host" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				6.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.4 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.4 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				6.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected