CVE-2017-7184
Publication date 19 March 2017
Last updated 25 August 2025
Ubuntu priority
Description
The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.
From the Ubuntu Security Team
It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| linux | ||
| 16.04 LTS xenial |
Fixed 4.4.0-71.92
|
|
| 14.04 LTS trusty |
Fixed 3.13.0-115.162
|
|
| linux-armadaxp | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-flo | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-goldfish | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-grouper | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-linaro-omap | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-linaro-shared | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-linaro-vexpress | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-quantal | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-raring | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-saucy | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-trusty | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-maguro | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-mako | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-manta | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-aws | ||
| 16.04 LTS xenial |
Fixed 4.4.0-1012.21
|
|
| 14.04 LTS trusty |
Not affected
|
|
| linux-azure | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| linux-euclid | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-gcp | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-gke | ||
| 16.04 LTS xenial |
Fixed 4.4.0-1009.9
|
|
| 14.04 LTS trusty | Not in release | |
| linux-hwe | ||
| 16.04 LTS xenial |
Fixed 4.8.0-45.48~16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
| linux-hwe-edge | ||
| 16.04 LTS xenial |
Fixed 4.8.0-45.48~16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
| linux-kvm | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-lts-utopic | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-vivid | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-wily | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-xenial | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 4.4.0-71.92~14.04.1
|
|
| linux-oem | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-raspi2 | ||
| 16.04 LTS xenial |
Fixed 4.4.0-1051.58
|
|
| 14.04 LTS trusty | Not in release | |
| linux-snapdragon | ||
| 16.04 LTS xenial |
Fixed 4.4.0-1054.58
|
|
| 14.04 LTS trusty | Not in release | |
| linux-qcm-msm | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-ti-omap4 | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
Notes
jdstrand
android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support
Patch details
| Package | Patch details |
|---|---|
| linux |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3248-1
- Linux kernel vulnerability
- 29 March 2017
- USN-3250-1
- Linux kernel vulnerability
- 29 March 2017
- USN-3251-2
- Linux kernel (HWE) vulnerability
- 30 March 2017
- USN-3250-2
- Linux kernel (Trusty HWE) vulnerability
- 29 March 2017
- USN-3251-1
- Linux kernel vulnerability
- 29 March 2017
- USN-3249-1
- Linux kernel vulnerability
- 29 March 2017
- USN-3249-2
- Linux kernel (Xenial HWE) vulnerability
- 30 March 2017
Other references
- http://www.eweek.com/security/ubuntu-linux-falls-on-day-1-of-pwn2own-hacking-competition
- https://blog.trendmicro.com/results-pwn2own-2017-day-one/
- https://twitter.com/thezdi/status/842126074435665920
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=52b9c816807abd46c285cd8ab183fe93194bfb3f
- https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a
- https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df
- https://www.cve.org/CVERecord?id=CVE-2017-7184