Skip to content

RVD#2564: The xfrm_replay_verify_len function does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a DoS #2564

New issue
New issue
Open
Open
RVD#2564: The xfrm_replay_verify_len function does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a DoS#2564
Labels
robot: ER-Flexrobot: ER-Literobot: ER-Onerobot: ER200robot: MiR100robot: MiR1000robot: MiR200robot: MiR250robot: MiR500robot: UVDseverity: high7.0 - 8.9vendor: Easy Roboticsvendor: Enabled Roboticsvendor: Mobile Industrial Robotsvendor: Robotplushttps://robotplus.es/vendor: UVD Robotsvulnerability
@rvd-bot

Description

@rvd-bot
rvd-bot
opened on Jun 24, 2020
id: 2564
title: 'RVD#2564: The xfrm_replay_verify_len function does not validate certain size
  data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges
  or cause a DoS'
type: vulnerability
description: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux
  kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE
  update, which allows local users to obtain root privileges or cause a denial of
  service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability,
  as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10
  linux-image-* package 4.8.0.41.52.
cwe: CWE-20
cve: CVE-2017-7184
keywords:
- MiR100, MiR200, MiR500, MiR250, MiR1000, ER200, ER-Lite, ER-Flex,
  ER-One, UVD
system: MiR100:v2.8.1.1 and before, MiR200, MiR250, MiR500, MiR1000, ER200,
  ER-Lite, ER-Flex, ER-One, UVD
vendor: Mobile Industrial Robots A/S, EasyRobotics, Enabled Robotics, UVD Robots
severity:
  rvss-score: 8.3
  rvss-vector: RVSS:1.0/AV:L/AC:L/PR:L/UI:N/Y:T/S:U/C:H/I:H/A:H/H:U/
  severity-description: High
  cvss-score: 7.8
  cvss-vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
links:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7184
- https://github.com/aliasrobotics/RVD/issues/2564
flaw:
  phase: runtime-operation
  specificity: general issue
  architectural-location: plataform code
  application: Linux
  subsystem: Kernel
  package: linux-image-generic 4.4.0.62.65 amd64
  languages: C
  date-detected: 2020-04-23
  detected-by: Offensive Team (Alias Robotics)
  detected-by-method: Testing Static, Alurity:test_vulners
  date-reported: '2020-06-24'
  reported-by: "V\xEDctor Mayoral Vilches (Alias Robotics)"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/2564
  reproducibility: Always
  trace: Not disclosed
  reproduction: Not disclosed
  reproduction-image: Not disclosed
exploitation:
  description: Not disclosed
  exploitation-image: Not disclosed
  exploitation-vector: Not disclosed
  exploitation-recipe: ''
mitigation:
  description: Not disclosed
  pull-request: Not disclosed
  date-mitigation: null

Metadata

Metadata