CVE-2016-4997

Severity

72%

Complexity

39%

Confidentiality

165%

The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.

The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.

CVSS 3.0 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Overview

Type

Linux

First reported 8 years ago

2016-07-03 21:59:00

Last updated 5 years ago

2019-12-27 16:08:00

Affected Software

Linux Kernel

Canonical Ubuntu Linux 12.04 LTS

12.04

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 15.10

15.10

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Novell SUSE Linux Enterprise Desktop 12.0

12.0

Novell SUSE Linux Enterprise Server 12.0

12.0

Novell SUSE Linux Enterprise Server 12.0 Service Pack 1

12.0

Novell SUSE Linux Enterprise Software Development Kit 12.0 Service Pack 1

12.0

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c

Vendor Advisory

SUSE-SU-2016:1709

Third Party Advisory

SUSE-SU-2016:1710

Third Party Advisory

SUSE-SU-2016:1937

Third Party Advisory

SUSE-SU-2016:1985

SUSE-SU-2016:2018

SUSE-SU-2016:2105

SUSE-SU-2016:2174

SUSE-SU-2016:2177

SUSE-SU-2016:2178

SUSE-SU-2016:2179

SUSE-SU-2016:2180

SUSE-SU-2016:2181

openSUSE-SU-2016:2184

RHSA-2016:1847

RHSA-2016:1875

RHSA-2016:1883

DSA-3607

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.3

[oss-security] 20160624 Linux CVE-2016-4997 (local privilege escalation) and CVE-2016-4998 (out of bounds memory access)

[oss-security] 20160929 CVE request - Linux kernel through 4.6.2 allows escalade privileges via IP6T_SO_SET_REPLACE compat setsockopt call

Exploit, Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html

91451

1036171

USN-3016-1

Third Party Advisory

USN-3016-2

Third Party Advisory

USN-3016-3

Third Party Advisory

USN-3016-4

Third Party Advisory

USN-3017-1

Third Party Advisory

USN-3017-2

Third Party Advisory

USN-3017-3

Third Party Advisory

USN-3018-1

Third Party Advisory

USN-3018-2

Third Party Advisory

USN-3019-1

Third Party Advisory

USN-3020-1

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1349722

Issue Tracking

https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt

Exploit, Third Party Advisory

https://github.com/torvalds/linux/commit/ce683e5f9d045e5d67d1312a42b359cb2ab2a13c

Patch

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05347541

40435

40489

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.