CVE-2017-1000366

Description

glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.

CVSS Metrics

• v3.0•HIGH•Score: 7.8CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 8.87%• Percentile: 93%

Techniques & Countermeasures

• CWE-119•Improper Restriction of Operations within the Bounds of a Memory Buffer

  The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Affected Systems

• debian•debian_linux

  8.0 | 9.0

• gnu•glibc

  ≤ 2.25

• mcafee•web_gateway

  ≤ 7.6.2.14 | ≥ 7.7.0.0, ≤ 7.7.2.2

• novell•suse_linux_enterprise_desktop

  12.0:sp2

• novell•suse_linux_enterprise_point_of_sale

  11.0:sp3

• novell•suse_linux_enterprise_server

  11.0:sp3

• openstack•cloud_magnum_orchestration

  7

• opensuse•leap

  42.2

• redhat•enterprise_linux

  5 | 6.0 | 7.0

• redhat•enterprise_linux_desktop

  6.0 | 7.0

• redhat•enterprise_linux_server

  6.0 | 6.6 | 7.0

• redhat•enterprise_linux_server_aus

  5.9 | 6.2 | 6.4 | 6.5 | 6.6 | 7.2 | 7.3 | 7.4 | 7.6

• redhat•enterprise_linux_server_eus

  6.2 | 6.5 | 6.7 | 7.2 | 7.3 | 7.4 | 7.5 | 7.6

• redhat•enterprise_linux_server_long_life

  5.9

• redhat•enterprise_linux_server_tus

  6.5 | 6.6 | 7.2 | 7.3 | 7.6

• redhat•enterprise_linux_workstation

  6.0 | 7.0

• suse•linux_enterprise_for_sap

  12:sp1

• suse•linux_enterprise_server

  10:sp4 | 11:sp4 | 12:sp1 | 12:sp2

• suse•linux_enterprise_server_for_raspberry_pi

  12:sp2

• suse•linux_enterprise_software_development_kit

  11.0:sp4 | 12.0:sp2

References (20)

• https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
• http://www.securitytracker.com/id/1038712
• https://www.exploit-db.com/exploits/42275/
• https://access.redhat.com/errata/RHSA-2017:1712
• https://www.suse.com/security/cve/CVE-2017-1000366/
• https://access.redhat.com/errata/RHSA-2017:1479
• https://access.redhat.com/errata/RHSA-2017:1480
• http://www.securityfocus.com/bid/99127
• https://www.exploit-db.com/exploits/42276/
• https://www.suse.com/support/kb/doc/?id=7020973
• https://access.redhat.com/errata/RHSA-2017:1567
• https://www.exploit-db.com/exploits/42274/
• https://access.redhat.com/security/cve/CVE-2017-1000366
• https://access.redhat.com/errata/RHSA-2017:1481
• http://www.debian.org/security/2017/dsa-3887
• https://security.gentoo.org/glsa/201706-19
• https://kc.mcafee.com/corporate/index?page=content&id=SB10205
• http://seclists.org/fulldisclosure/2019/Sep/7
• https://seclists.org/bugtraq/2019/Sep/7
• http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html