Out-of-bounds read in Linux kernel - CVE-2017-5897
Published: February 9, 2017 / Updated: February 10, 2017
Vulnerability identifier: #VU5675
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-5897
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The vulnerability exists due to boundary error when processing GRE packets in ip6gre_err() function in net/ipv6/ip6_gre.c. A remote attacker can send specially crafted GRE packets to IPv6 interface, trigger out-of-bounds read and obtain memory contents or cause denial of service.Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information, stored in RAM, such as passwords, encryption keys, etc.
How to mitigate CVE-2017-5897
Install patch from GIT repository:
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=7892032cfe67f4bde6fc2ee967e45a...
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=7892032cfe67f4bde6fc2ee967e45a...