CVE-2017-18017 - Use After Free

Severity

99%

Complexity

99%

Confidentiality

165%

The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.

The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.

CVSS 3.0 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 9.9. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C).

Demo Examples

Use After Free

CWE-416

The following example demonstrates the weakness.


               
}
free(buf3R2);

Use After Free

CWE-416

The following code illustrates a use after free error:


               
}
free(ptr);
logError("operation aborted before commit", ptr);

When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.

Overview

Type

Linux Kernel

First reported 7 years ago

2018-01-03 06:29:00

Last updated 6 years ago

2018-11-30 21:31:00

Affected Software

Linux Kernel 4.9

4.9

Linux Kernel 4.9.1

4.9.1

Linux Kernel 4.9.2

4.9.2

Linux Kernel 4.9.3

4.9.3

Linux Kernel 4.9.4

4.9.4

Linux Kernel 4.9.5

4.9.5

Linux Kernel 4.9.6

4.9.6

Linux Kernel 4.9.7

4.9.7

Linux Kernel 4.9.8

4.9.8

Linux Kernel 4.9.9

4.9.9

Linux Kernel 4.9.10

4.9.10

Linux Kernel 4.9.11

4.9.11

Linux Kernel 4.9.12

4.9.12

Linux Kernel 4.9.13

4.9.13

Linux Kernel 4.9.14

4.9.14

Linux Kernel 4.9.15

4.9.15

Linux Kernel 4.9.16

4.9.16

Linux Kernel 4.9.17

4.9.17

Linux Kernel 4.9.18

4.9.18

Linux Kernel 4.9.19

4.9.19

Linux Kernel 4.9.20

4.9.20

Linux Kernel 4.9.21

4.9.21

Linux Kernel 4.9.22

4.9.22

Linux Kernel 4.9.23

4.9.23

Linux Kernel 4.9.24

4.9.24

Linux Kernel 4.9.25

4.9.25

Linux Kernel 4.9.26

4.9.26

Linux Kernel 4.9.27

4.9.27

Linux Kernel 4.9.28

4.9.28

Linux Kernel 4.9.29

4.9.29

Linux Kernel 4.9.30

4.9.30

Linux Kernel 4.9.31

4.9.31

Linux Kernel 4.9.32

4.9.32

Linux Kernel 4.9.33

4.9.33

Linux Kernel 4.9.34

4.9.34

Linux Kernel 4.9.35

4.9.35

Linux Kernel 4.10

4.10

Linux Kernel 4.10.1

4.10.1

Linux Kernel 4.10.2

4.10.2

Linux Kernel 4.10.3

4.10.3

Linux Kernel 4.10.4

4.10.4

Linux Kernel 4.10.5

4.10.5

Linux Kernel 4.10.6

4.10.6

Linux Kernel 4.10.7

4.10.7

Linux Kernel 4.10.8

4.10.8

Linux Kernel 4.10.9

4.10.9

Linux Kernel 4.10.10

4.10.10

Linux Kernel 4.10.11

4.10.11

Linux Kernel 4.10.12

4.10.12

Linux Kernel 4.10.13

4.10.13

Linux Kernel 4.10.14

4.10.14

Linux Kernel 4.10.15

4.10.15

Linux Linux Kernel 4.11 Release Candidate 1

4.11

Linux Linux Kernel 4.11 Release Candidate 2

4.11

Linux Linux Kernel 4.11 Release Candidate 3

4.11

Linux Linux Kernel 4.11 Release Candidate 4

4.11

Linux Linux Kernel 4.11 Release Candidate 5

4.11

Linux Linux Kernel 4.11 Release Candidate 6

4.11

Linux Linux Kernel 4.11 Release Candidate 7

4.11

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2638fd0f92d4397884fd991d8f4925cb3f081901

Patch, Third Party Advisory

http://patchwork.ozlabs.org/patch/746618/

Patch, Third Party Advisory

102367

Third Party Advisory, VDB Entry

RHSA-2018:0676

RHSA-2018:1062

RHSA-2018:1130

RHSA-2018:1170

RHSA-2018:1319

RHSA-2018:1737

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1739765

Issue Tracking, Third Party Advisory

https://github.com/torvalds/linux/commit/2638fd0f92d4397884fd991d8f4925cb3f081901

Patch, Third Party Advisory

https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0

[debian-lts-announce] 20180502 [SECURITY] [DLA 1369-1] linux security update

https://lkml.org/lkml/2017/4/2/13

Third Party Advisory

USN-3583-1

USN-3583-2

DSA-4187

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.36

Release Notes, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.