PT-2017-15013 · Linux+4 · Linux Kernel+4

Published

2017-12-15

Updated

2020-04-08

CVE-2017-17807

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 4.14.6

Description The issue concerns the KEYS subsystem in the Linux kernel, which failed to perform an access-control check when adding a key to the current task's "default request-key keyring" via the request key() system call. This allowed a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission, not Write permission, related to the construct get dest keyring() function in security/keys/request key.c.

Recommendations For Linux kernel versions prior to 4.14.6, update to version 4.14.6 or later to resolve the issue.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

ALT-PU-2017-2802

ALT-PU-2018-1991

CESA-2020_1016

CVE-2017-17807

DLA-1232-1

DSA-4073-1

DSA-4082-1

RHSA-2020:1016

RHSA-2020:1070

RHSA-2020_1016

RHSA-2020_1070

USN-3617-1

USN-3617-2

USN-3617-3

USN-3619-1

USN-3619-2

USN-3620-1

USN-3620-2

USN-3632-1

Affected Products

Alt Linux

Centos

Linux Kernel

Red Hat

Ubuntu

PT-2017-15013 · Linux+4 · Linux Kernel+4

CVE-2017-17807

Weakness Enumeration

Related Identifiers

Affected Products

References · 81