CVE-2017-17807

kernel: Missing permissions check for request_key() destination allows local attackers to add keys to keyring without Write permission

Severity Score

3.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's "default request-key keyring" via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.

El subsistema KEYS en el kernel de Linux en versiones anteriores a la 4.14.6 omitía una comprobación de control de acceso cuando se agregaba una clave al "llavero de acceso por defecto" de la tarea actual mediante la llamada al sistema request_key(), permitiendo a un usuario local utilizar una secuencia de llamadas de sistema manipuladas para añadir claves a un llavero solo con permiso de búsqueda (no de escritura) a ese llavero. Esto está relacionado con construct_get_dest_keyring() en security/keys/request_key.c.

The KEYS subsystem in the Linux kernel omitted an access-control check when writing a key to the current task's default keyring, allowing a local user to bypass security checks to the keyring. This compromises the validity of the keyring for those who rely on it.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-03 CVE Published
2017-12-20 CVE Reserved
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (17)

URL	Tag	Source
http://www.securityfocus.com/bid/102301	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/01/msg00004.html	Mailing List
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.6	Issue Tracking

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4dca6ea1d9432052afb06baf2e3ae78188a4410b	2019-10-03
https://github.com/torvalds/linux/commit/4dca6ea1d9432052afb06baf2e3ae78188a4410b	2019-10-03

URL	Date	SRC
https://usn.ubuntu.com/3617-1	2019-10-03
https://usn.ubuntu.com/3617-2	2019-10-03
https://usn.ubuntu.com/3617-3	2019-10-03
https://usn.ubuntu.com/3619-1	2019-10-03
https://usn.ubuntu.com/3619-2	2019-10-03
https://usn.ubuntu.com/3620-1	2019-10-03
https://usn.ubuntu.com/3620-2	2019-10-03
https://usn.ubuntu.com/3632-1	2019-10-03
https://www.debian.org/security/2017/dsa-4073	2019-10-03
https://www.debian.org/security/2018/dsa-4082	2019-10-03
https://access.redhat.com/security/cve/CVE-2017-17807	2020-03-31
https://bugzilla.redhat.com/show_bug.cgi?id=1528335	2020-03-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.14.6 Search vendor "Linux" for product "Linux Kernel" and version " < 4.14.6"		-		Affected