CVE-2017-18509

An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.

From the Ubuntu Security Team

It was discovered that the IPv6 implementation in the Linux kernel did not properly validate socket options in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

• How can I get the fixes?
• What do statuses mean?
• Patch details

References

• MITRE
• NVD
• Launchpad
• Debian

Related Ubuntu Security Notices (USN)

• USN-4145-1
• Linux kernel vulnerabilities
• 1 October 2019

Other references

• https://git.kernel.org/linus/99253eb750fda6a644d5188fb26c43bad8d5a745
• https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-inetcsklistenstop-gpf
• https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=99253eb750fda6a644d5188fb26c43bad8d5a745
• https://github.com/torvalds/linux/commit/99253eb750fda6a644d5188fb26c43bad8d5a745
• https://lists.debian.org/debian-lts-announce/2019/08/msg00016.html
• https://lists.openwall.net/netdev/2017/12/04/40
• https://salsa.debian.org/kernel-team/linux/commit/baefcdc2f29923e7325ce4e1a72c3ff0a9800f32
• https://www.debian.org/security/2019/dsa-4497
• https://www.cve.org/CVERecord?id=CVE-2017-18509