CVE-2017-11600
First published: Mon Jul 24 2017(Updated: )
net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/linux | 4.19.249-2 4.19.289-2 5.10.197-1 5.10.205-2 6.1.66-1 6.1.69-1 6.5.13-1 6.6.9-1 | |
| Linux kernel | >=2.6.21<3.2.93 | |
| Linux kernel | >=3.3<3.10.108 | |
| Linux kernel | >=3.11<3.18.70 | |
| Linux kernel | >=3.19<4.1.45 | |
| Linux kernel | >=4.2<4.4.87 | |
| Linux kernel | >=4.5<4.9.48 | |
| Linux kernel | >=4.10<4.12.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html
- http://seclists.org/bugtraq/2017/Jul/30
- http://www.debian.org/security/2017/dsa-3981
- http://www.securityfocus.com/bid/99928
- https://access.redhat.com/errata/RHSA-2018:1965
- https://access.redhat.com/errata/RHSA-2018:2003
- https://access.redhat.com/errata/RHSA-2019:1170
- https://access.redhat.com/errata/RHSA-2019:1190
- https://source.android.com/security/bulletin/pixel/2017-11-01
- http://marc.info/?t=150169629800003&r=1&w=2
- http://marc.info/?l=linux-netdev&m=150169627919528&w=2
- https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1474929
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1308338
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1308338&action=edit
- https://bugzilla.redhat.com/show_bug.cgi?id=1474928
- https://security-tracker.debian.org/tracker/CVE-2017-11600
Frequently Asked Questions
What is the severity of CVE-2017-11600?
CVE-2017-11600 has a medium severity rating due to its potential to cause a denial of service.
How do I fix CVE-2017-11600?
To fix CVE-2017-11600, ensure that your Linux kernel is upgraded to a version later than 4.12.3 that includes the necessary patches.
Which systems are affected by CVE-2017-11600?
CVE-2017-11600 affects Linux kernel versions prior to 4.12.3 when CONFIG_XFRM_MIGRATE is enabled.
What are the risks associated with CVE-2017-11600?
The risks associated with CVE-2017-11600 include potential denial of service and out-of-bounds memory access.
Is there a workaround for CVE-2017-11600?
A temporary workaround for CVE-2017-11600 involves disabling the CONFIG_XFRM_MIGRATE option if it is not needed.
- collector/security-tracker-debian
- agent/type
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-11600
- agent/references
- agent/author
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/2.6.21
- version/linux kernel/3.3
- version/linux kernel/3.11
- version/linux kernel/3.19
- version/linux kernel/4.2
- version/linux kernel/4.5
- version/linux kernel/4.10