ID CVE-2017-18017
Summary The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.
References
Vulnerable Configurations
  • Linux Kernel 4.9
    cpe:2.3:o:linux:linux_kernel:4.9
  • Linux Kernel 4.9.1
    cpe:2.3:o:linux:linux_kernel:4.9.1
  • Linux Kernel 4.9.2
    cpe:2.3:o:linux:linux_kernel:4.9.2
  • Linux Kernel 4.9.3
    cpe:2.3:o:linux:linux_kernel:4.9.3
  • Linux Kernel 4.9.4
    cpe:2.3:o:linux:linux_kernel:4.9.4
  • Linux Kernel 4.9.5
    cpe:2.3:o:linux:linux_kernel:4.9.5
  • Linux Kernel 4.9.6
    cpe:2.3:o:linux:linux_kernel:4.9.6
  • Linux Kernel 4.9.7
    cpe:2.3:o:linux:linux_kernel:4.9.7
  • Linux Kernel 4.9.8
    cpe:2.3:o:linux:linux_kernel:4.9.8
  • Linux Kernel 4.9.9
    cpe:2.3:o:linux:linux_kernel:4.9.9
  • Linux Kernel 4.9.10
    cpe:2.3:o:linux:linux_kernel:4.9.10
  • Linux Kernel 4.9.11
    cpe:2.3:o:linux:linux_kernel:4.9.11
  • Linux Kernel 4.9.12
    cpe:2.3:o:linux:linux_kernel:4.9.12
  • Linux Kernel 4.9.13
    cpe:2.3:o:linux:linux_kernel:4.9.13
  • Linux Kernel 4.9.14
    cpe:2.3:o:linux:linux_kernel:4.9.14
  • Linux Kernel 4.9.15
    cpe:2.3:o:linux:linux_kernel:4.9.15
  • Linux Kernel 4.9.16
    cpe:2.3:o:linux:linux_kernel:4.9.16
  • Linux Kernel 4.9.17
    cpe:2.3:o:linux:linux_kernel:4.9.17
  • Linux Kernel 4.9.18
    cpe:2.3:o:linux:linux_kernel:4.9.18
  • Linux Kernel 4.9.19
    cpe:2.3:o:linux:linux_kernel:4.9.19
  • Linux Kernel 4.9.20
    cpe:2.3:o:linux:linux_kernel:4.9.20
  • Linux Kernel 4.9.21
    cpe:2.3:o:linux:linux_kernel:4.9.21
  • Linux Kernel 4.9.22
    cpe:2.3:o:linux:linux_kernel:4.9.22
  • Linux Kernel 4.9.23
    cpe:2.3:o:linux:linux_kernel:4.9.23
  • Linux Kernel 4.9.24
    cpe:2.3:o:linux:linux_kernel:4.9.24
  • Linux Kernel 4.9.25
    cpe:2.3:o:linux:linux_kernel:4.9.25
  • Linux Kernel 4.9.26
    cpe:2.3:o:linux:linux_kernel:4.9.26
  • Linux Kernel 4.9.27
    cpe:2.3:o:linux:linux_kernel:4.9.27
  • Linux Kernel 4.9.28
    cpe:2.3:o:linux:linux_kernel:4.9.28
  • Linux Kernel 4.9.29
    cpe:2.3:o:linux:linux_kernel:4.9.29
  • Linux Kernel 4.9.30
    cpe:2.3:o:linux:linux_kernel:4.9.30
  • Linux Kernel 4.9.31
    cpe:2.3:o:linux:linux_kernel:4.9.31
  • Linux Kernel 4.9.32
    cpe:2.3:o:linux:linux_kernel:4.9.32
  • Linux Kernel 4.9.33
    cpe:2.3:o:linux:linux_kernel:4.9.33
  • Linux Kernel 4.9.34
    cpe:2.3:o:linux:linux_kernel:4.9.34
  • Linux Kernel 4.9.35
    cpe:2.3:o:linux:linux_kernel:4.9.35
  • Linux Kernel 4.10
    cpe:2.3:o:linux:linux_kernel:4.10
  • Linux Kernel 4.10.1
    cpe:2.3:o:linux:linux_kernel:4.10.1
  • Linux Kernel 4.10.2
    cpe:2.3:o:linux:linux_kernel:4.10.2
  • Linux Kernel 4.10.3
    cpe:2.3:o:linux:linux_kernel:4.10.3
  • Linux Kernel 4.10.4
    cpe:2.3:o:linux:linux_kernel:4.10.4
  • Linux Kernel 4.10.5
    cpe:2.3:o:linux:linux_kernel:4.10.5
  • Linux Kernel 4.10.6
    cpe:2.3:o:linux:linux_kernel:4.10.6
  • Linux Kernel 4.10.7
    cpe:2.3:o:linux:linux_kernel:4.10.7
  • Linux Kernel 4.10.8
    cpe:2.3:o:linux:linux_kernel:4.10.8
  • Linux Kernel 4.10.9
    cpe:2.3:o:linux:linux_kernel:4.10.9
  • Linux Kernel 4.10.10
    cpe:2.3:o:linux:linux_kernel:4.10.10
  • Linux Kernel 4.10.11
    cpe:2.3:o:linux:linux_kernel:4.10.11
  • Linux Kernel 4.10.12
    cpe:2.3:o:linux:linux_kernel:4.10.12
  • Linux Kernel 4.10.13
    cpe:2.3:o:linux:linux_kernel:4.10.13
  • Linux Kernel 4.10.14
    cpe:2.3:o:linux:linux_kernel:4.10.14
  • Linux Kernel 4.10.15
    cpe:2.3:o:linux:linux_kernel:4.10.15
  • Linux Linux Kernel 4.11 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:4.11:rc1
  • Linux Linux Kernel 4.11 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:4.11:rc2
  • Linux Linux Kernel 4.11 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:4.11:rc3
  • Linux Linux Kernel 4.11 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:4.11:rc4
  • Linux Linux Kernel 4.11 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:4.11:rc5
  • Linux Linux Kernel 4.11 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:4.11:rc6
  • Linux Linux Kernel 4.11 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:4.11:rc7
CVSS
Base: 10.0
Impact:
Exploitability:
CWE CWE-416
CAPEC
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3583-1.NASL
    description It was discovered that an out-of-bounds write vulnerability existed in the Flash-Friendly File System (f2fs) in the Linux kernel. An attacker could construct a malicious file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0750) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) Bo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153) Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not properly track reference counts when merging buffers. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2017-12190) It was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192) It was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-14051) Otto Ebeling discovered that the memory manager in the Linux kernel did not properly check the effective UID in some situations. A local attacker could use this to expose sensitive information. (CVE-2017-14140) It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14156) ChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14489) James Patrick-Evans discovered a race condition in the LEGO USB Infrared Tower driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15102) ChunYu Wang discovered that a use-after-free vulnerability existed in the SCTP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code, (CVE-2017-15115) It was discovered that the key management subsystem in the Linux kernel did not properly handle NULL payloads with non-zero length values. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15274) It was discovered that the Bluebooth Network Encapsulation Protocol (BNEP) implementation in the Linux kernel did not validate the type of socket passed in the BNEPCONNADD ioctl(). A local attacker with the CAP_NET_ADMIN privilege could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15868) Andrey Konovalov discovered a use-after-free vulnerability in the USB serial console driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16525) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the systemwide OS fingerprint list. (CVE-2017-17450) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) Denys Fedoryshchenko discovered a use-after-free vulnerability in the netfilter xt_TCPMSS filter of the Linux kernel. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-18017) Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669) It was discovered that an integer overflow vulnerability existing in the IPv6 implementation in the Linux kernel. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-7542) Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889) Mohamed Ghannam discovered a use-after-free vulnerability in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8824) Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344) USN-3524-1 mitigated CVE-2017-5754 (Meltdown) for the amd64 architecture in Ubuntu 14.04 LTS. This update provides the corresponding mitigations for the ppc64el architecture. Original advisory details : Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5754). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 107003
    published 2018-02-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107003
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3583-1) (Meltdown)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-1319.NASL
    description From Red Hat Security Advisory 2018:1319 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, x86 32-bit) * Kernel: error in exception handling leads to DoS (CVE-2018-8897) * kernel: nfsd: Incorrect handling of long RPC replies (CVE-2017-7645) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017) * kernel: Stack information leak in the EFS element (CVE-2017-1000410) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Google Project Zero for reporting CVE-2017-5754; Nick Peterson (Everdox Tech LLC) and Andy Lutomirski for reporting CVE-2018-8897; Mohamed Ghannam for reporting CVE-2017-8824; and Armis Labs for reporting CVE-2017-1000410. Bug Fix(es) : These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article: https://access.redhat.com/ articles/3431591
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 109629
    published 2018-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109629
    title Oracle Linux 6 : kernel (ELSA-2018-1319) (Meltdown)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-153.NASL
    description