CVE-2017-15129

kernel: net: double-free and memory corruption in get_net_ns_by_id()

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.

Se ha descubierto una vulnerabilidad en los nombres de espacio de red que afecta al kernel de Linux en versiones anteriores a la 4.14.11. La función get_net_ns_by_id() en net/core/net_namespace.c no verifica el valor net::count una vez que ha encontrado una red peer en el ids netns_ids, lo que podría conducir a una doble liberación (double free) y a una corrupción de memoria. Esta vulnerabilidad podría permitir que un usuario local sin privilegios provoque una corrupción de memoria en el sistema, desembocando en un cierre inesperado. Debido a la naturaleza del error, no puede descartarse totalmente el escalado de privilegios, aunque se cree que es improbable.

A use-after-free vulnerability was found in a network namespaces code affecting the Linux kernel since v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check for the net::count value after it has found a peer network in netns_ids idr which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-03 CVE Published
2017-10-08 CVE Reserved
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (19)

URL	Tag	Source
http://seclists.org/oss-sec/2018/q1/7	Mailing List
http://www.securityfocus.com/bid/102485	Broken Link
https://marc.info/?t=151370468900001&r=1&w=2	Mailing List
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.11	Release Notes

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=21b5944350052d2583e82dd59b19a9ba94a007f0	2024-02-08
https://bugzilla.redhat.com/show_bug.cgi?id=1531174	2019-07-30
https://github.com/torvalds/linux/commit/21b5944350052d2583e82dd59b19a9ba94a007f0	2024-02-08
https://marc.info/?l=linux-netdev&m=151370451121029&w=2	2024-02-08

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:0654	2024-02-08
https://access.redhat.com/errata/RHSA-2018:0676	2024-02-08
https://access.redhat.com/errata/RHSA-2018:1062	2024-02-08
https://access.redhat.com/errata/RHSA-2019:1946	2024-02-08
https://access.redhat.com/security/cve/CVE-2017-15129	2019-07-30
https://usn.ubuntu.com/3617-1	2024-02-08
https://usn.ubuntu.com/3617-2	2024-02-08
https://usn.ubuntu.com/3617-3	2024-02-08
https://usn.ubuntu.com/3619-1	2024-02-08
https://usn.ubuntu.com/3619-2	2024-02-08
https://usn.ubuntu.com/3632-1	2024-02-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 4.14.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 4.14.11"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc1		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc2		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc3		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		rc4		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				27 Search vendor "Fedoraproject" for product "Fedora" and version "27"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				17.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Compute Node Eus Search vendor "Redhat" for product "Enterprise Linux Compute Node Eus"				7.4 Search vendor "Redhat" for product "Enterprise Linux Compute Node Eus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				7.4 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				7.7 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "7.7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"				7.0 Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Eus Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus"				7.4 Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Big Endian Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian"				7.0 Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Big Endian Eus Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian Eus"				7.4 Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian Eus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Little Endian Eus Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus"				7.4 Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Real Time Search vendor "Redhat" for product "Enterprise Linux For Real Time"				7.0 Search vendor "Redhat" for product "Enterprise Linux For Real Time" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Real Time For Nfv Search vendor "Redhat" for product "Enterprise Linux For Real Time For Nfv"				7 Search vendor "Redhat" for product "Enterprise Linux For Real Time For Nfv" and version "7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Scientific Computing Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing"				7.0 Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				7.4 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.4 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.7 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Update Services For Sap Solutions Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"				7.4 Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected