Resource exhaustion in Linux kernel

#VU12299 Resource exhaustion in Linux kernel

Cybersecurity Help s.r.o.

Published: 2020-03-18

Vulnerability identifier: #VU12299

Vulnerability risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-7472

CWE-ID: CWE-400

Exploitation vector: Local

Exploit availability: Yes

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description
The vulnerability allows a local attacker to cause DoD condition on the target system.

The weakness exists in the KEYS subsystem due to memory consumption. A local attacker can cause the service to crash via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.

Mitigation
Update to version 4.10.13.

Vulnerable software versions

Linux kernel: 4.10.0 - 4.10.12

External links
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c9f838d104fed6f2f61d681647...

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle VM Server for x86

SUSE Linux update for the Linux Kernel

Multiple vulnerabilities in Linux Kernel