CVE-2017-1000112

Home/CVE/Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE

CVE

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption.

In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb-len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev-len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative.

Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

HIGH · CVSS 7 EPSS 0.8286

Act now

EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
EPSS percentile: top 1% of all CVEs by exploitation likelihood
Reliable Metasploit module available (rank: Good) - weaponised exploit code
Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2017-1000112, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

View attack path from CVE-2017-1000112

◆

ATT&CK techniques

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1068 · Exploitation for Privilege Escalation

▤ Build a SIEM detection for these techniques

▤

CAPEC attack patterns

Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.

CAPEC-CAPEC-26 · Leveraging Race Conditions CAPEC-CAPEC-29 · Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

⬡

Weakness Classification

CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

▤

Affected Products & Versions

linux kernel>= 2.6.15 and < 3.10.108
linux kernel>= 3.11 and < 3.16.47
linux kernel>= 3.17 and < 3.18.65
linux kernel>= 3.19 and < 4.4.82
linux kernel>= 4.5 and < 4.9.43
linux kernel>= 4.10 and < 4.12.7

▤

Affected Packages

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Ubuntu:14.04:LTS linux fixed in 3.13.0-128.177

Ubuntu:14.04:LTS linux-aws fixed in 4.4.0-1002.2

Ubuntu:14.04:LTS linux-azure fixed in 4.15.0-1023.24~14.04.1

Ubuntu:14.04:LTS linux-lts-xenial fixed in 4.4.0-91.114~14.04.1

Ubuntu:16.04:LTS linux fixed in 4.4.0-91.114

Ubuntu:16.04:LTS linux-aws fixed in 4.4.0-1030.39

Ubuntu:16.04:LTS linux-aws-hwe fixed in 4.15.0-1030.31~16.04.1

Ubuntu:16.04:LTS linux-azure fixed in 4.11.0-1009.9

Ubuntu:16.04:LTS linux-euclid fixed in 4.4.0-9019.20

Ubuntu:16.04:LTS linux-gcp fixed in 4.10.0-1004.4

Ubuntu:16.04:LTS linux-gke fixed in 4.4.0-1026.26

Ubuntu:16.04:LTS linux-hwe fixed in 4.10.0-32.36~16.04.1

Ubuntu:16.04:LTS linux-kvm fixed in 4.4.0-1004.9

Ubuntu:16.04:LTS linux-oem fixed in 4.13.0-1008.9

Ubuntu:16.04:LTS linux-oracle fixed in 4.15.0-1007.9~16.04.1

Ubuntu:16.04:LTS linux-raspi2 fixed in 4.4.0-1069.77

Ubuntu:16.04:LTS linux-snapdragon fixed in 4.4.0-1071.76

Ubuntu:18.04:LTS linux fixed in 4.13.0-16.19

Ubuntu:18.04:LTS linux-aws fixed in 4.15.0-1001.1

Ubuntu:18.04:LTS linux-aws-5.4 fixed in 5.4.0-1018.18~18.04.1

Ubuntu:18.04:LTS linux-azure fixed in 4.15.0-1002.2

Ubuntu:18.04:LTS linux-azure-4.15 fixed in 4.15.0-1082.92

Ubuntu:18.04:LTS linux-azure-5.4 fixed in 5.4.0-1020.20~18.04.1

Ubuntu:18.04:LTS linux-gcp fixed in 4.15.0-1001.1

Ubuntu:18.04:LTS linux-gcp-4.15 fixed in 4.15.0-1071.81

Ubuntu:18.04:LTS linux-gcp-5.4 fixed in 5.4.0-1019.19~18.04.2

Ubuntu:18.04:LTS linux-hwe-5.4 fixed in 5.4.0-37.41~18.04.1

Ubuntu:18.04:LTS linux-hwe-edge fixed in 5.0.0-15.16~18.04.1

Ubuntu:18.04:LTS linux-ibm-5.4 fixed in 5.4.0-1010.11~18.04.2

Ubuntu:18.04:LTS linux-kvm fixed in 4.15.0-1002.2

Ubuntu:18.04:LTS linux-oem fixed in 4.15.0-1002.3

Ubuntu:18.04:LTS linux-oracle fixed in 4.15.0-1007.9

Ubuntu:18.04:LTS linux-oracle-5.4 fixed in 5.4.0-1019.19~18.04.1

Ubuntu:18.04:LTS linux-raspi-5.4 fixed in 5.4.0-1013.13~18.04.1

Ubuntu:18.04:LTS linux-raspi2 fixed in 4.13.0-1005.5

Ubuntu:20.04:LTS linux fixed in 5.4.0-9.12

Ubuntu:20.04:LTS linux-aws fixed in 5.4.0-1005.5

Ubuntu:20.04:LTS linux-aws-5.15 fixed in 5.15.0-1014.18~20.04.1

Ubuntu:20.04:LTS linux-azure fixed in 5.4.0-1006.6

Ubuntu:20.04:LTS linux-azure-5.15 fixed in 5.15.0-1007.8~20.04.1

⚠

Public Exploits & PoCs

These PoC and exploit links come from public sources and are not verified to be safe or functional. Review the code before running anything, and treat unverified entries as untrusted.
localLinux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)verified
localLinux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)verified
localLinux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)2018-12-29
pocol0273st-s/CVE-2017-1000112-Adpated (nomi-sec)
pocIT19083124/SNP-Assignment (nomi-sec)
pocSpydomain/CVE-2017-1000112-PoC (nomi-sec)
pochikame/docker_escape_pwn (nomi-sec)
pocxairy/kernel-exploits (trickest)
poc0dayhunter/Linux-exploit-suggester (trickest)
poc0xTo/linux-kernel-exploits (trickest)
poc84KaliPleXon3/linux-exploit-suggester (trickest)
pocARPSyndicate/cvemon (trickest)
pocAl1ex/LinuxEelvation (trickest)
pocAmariHana/Linux_menthor (trickest)
pocC0dak/linux-kernel-exploits (trickest)
pocC0dak/local-root-exploit- (trickest)
pocDe4dCr0w/Linux-kernel-EoP-exp (trickest)
pocFeng4/linux-kernel-exploits (trickest)
pocwww.exploit-db.com · 45147www.exploit-db.com

📦

Fixed versions by distribution

The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
oracle allkernel fixed in 0:2.6.32-696.16.1.el6
oracle allkernel-abi-whitelists open
oracle allkernel-debug open
oracle allkernel-debug-devel open
oracle allkernel-devel fixed in 0:2.6.32-696.16.1.el6
oracle allkernel-firmware open
oracle allkernel-headers open
oracle allkernel-tools open
oracle allkernel-tools-libs open
oracle allkernel-tools-libs-devel fixed in 0:3.10.0-693.5.2.el7
oracle allkernel-uek fixed in 0:4.1.12-103.7.4.el6uek
oracle allkernel-uek-debug open
oracle allkernel-uek-debug-devel fixed in 0:4.1.12-103.7.4.el6uek
oracle allkernel-uek-devel open
oracle allkernel-uek-firmware open
oracle allperf open
oracle allpython-perf fixed in 0:2.6.32-696.16.1.el6

⚙

Metasploit Modules

Weaponised exploit modules in the Metasploit Framework. Rank is Metasploit’s reliability rating - Excellent/Great/Good means dependable, real-world exploit code (a strong “act now” signal), not a fragile PoC.

Goodexploit/linux/local/ufo_privilege_escalation2017-08-10

▣

Scoring & Timeline

HIGH · CVSS v3.1 · [email protected]

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD05 Oct 2017 · 01:29 AM

CVSS VectorCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

⚑

Vendor Advisories

rhsaRHSA-2019:4159Important
suse-csafSUSE-SU-2017:3265-1
suse-csafSUSE-SU-2017:2956-1
suse-csafSUSE-SU-2017:2813-1
suse-csafSUSE-SU-2017:2775-1
Show all 30 vendor advisoriessuse-csafSUSE-SU-2017:2791-1
suse-csafSUSE-SU-2017:2694-1
suse-csafSUSE-SU-2017:2525-1
suse-csafSUSE-SU-2017:2497-1
suse-csafSUSE-SU-2017:2498-1
suse-csafSUSE-SU-2017:2499-1
suse-csafSUSE-SU-2017:2500-1
suse-csafSUSE-SU-2017:2506-1
suse-csafSUSE-SU-2017:2508-1
suse-csafSUSE-SU-2017:2509-1
suse-csafSUSE-SU-2017:2510-1
suse-csafSUSE-SU-2017:2511-1
suse-csafSUSE-SU-2017:2454-1
suse-csafSUSE-SU-2017:2455-1
suse-csafSUSE-SU-2017:2456-1
suse-csafSUSE-SU-2017:2457-1
suse-csafSUSE-SU-2017:2458-1
suse-csafSUSE-SU-2017:2464-1
suse-csafSUSE-SU-2017:2465-1
suse-csafSUSE-SU-2017:2467-1
suse-csafSUSE-SU-2017:2469-1
suse-csafSUSE-SU-2017:2471-1
suse-csafSUSE-SU-2017:2472-1
suse-csafSUSE-SU-2017:2473-1
suse-csafSUSE-SU-2017:2474-1

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://seclists.org/oss-sec/2017/q3/277Mailing ListPatchThird Party Advisory

http://www.debian.org/security/2017/dsa-3981Third Party Advisory

http://www.securityfocus.com/bid/100262Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1039162Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:2918Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2930Third Party Advisory

Show all 11 references

https://access.redhat.com/errata/RHSA-2017:2931Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3200Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1931Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1932Third Party Advisory

https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112Third Party Advisory