CVE-2017-1000408 - A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_

CVE-2017-1000408

Summary

A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.

References

Vulnerable Configurations

cpe:2.3:a:gnu:glibc:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:glibc:2.1.1:*:*:*:*:*:*:*

CVSS

Base:	7.2 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:

CWE

CWE-772

CAPEC

HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:L/Au:N/C:C/I:C/A:C

refmap via4

confirm	https://security.netapp.com/advisory/ntap-20190404-0003/
exploit-db	43331
mlist	[oss-security] 20171211 Qualys Security Advisory - Buffer overflow in glibc's ld.so [oss-security] 20190627 Re: linux-distros membership application - Microsoft [oss-security] 20190628 Re: linux-distros membership application - Microsoft

Last major update

03-10-2019 - 00:03

Published

01-02-2018 - 04:29

Last modified

03-10-2019 - 00:03