PT-2017-15012 · Linux+3 · Linux Kernel+3

Published

2017-12-20

·

Updated

2023-01-19

·

CVE-2017-17806

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 4.14.8
Description The HMAC implementation in the Linux kernel does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization. This issue affects systems that use the AF ALG-based hash interface and the SHA-3 hash algorithm.
Recommendations For Linux kernel versions prior to 4.14.8, update to version 4.14.8 or later to resolve the issue. As a temporary workaround, consider disabling the use of the SHA-3 hash algorithm until a patch is available. Restrict access to the AF ALG-based hash interface to minimize the risk of exploitation. Avoid using the CONFIG CRYPTO USER API HASH and CONFIG CRYPTO SHA3 configurations in the affected kernel versions until the issue is resolved.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

ALT-PU-2017-2818
ALT-PU-2017-2819
CVE-2017-17806
DLA-1232-1
DSA-4073-1
DSA-4082-1
OPENSUSE-SU-2018_0022-1
OPENSUSE-SU-2018_0023-1
RHSA-2018:2948
SUSE-SU-2018:0010-1
SUSE-SU-2018:0011-1
SUSE-SU-2018:0012-1
SUSE-SU-2018:0040-1
SUSE-SU-2018:0180-1
SUSE-SU-2018:0213-1
SUSE-SU-2018:0437-1
SUSE-SU-2018:0525-1
USN-3583-1
USN-3583-2
USN-3617-1
USN-3617-2
USN-3617-3
USN-3619-1
USN-3619-2
USN-3632-1

Affected Products

Alt Linux
Linux Kernel
Suse
Ubuntu