CVE-2017-16997

Current Description

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

Basic Data

PublishedDecember 18, 2017
Last ModifiedApril 26, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-426
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score9.3
SeverityHIGH
Exploitability Score8.6
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 3 - Attack VectorLOCAL
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionREQUIRED
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactHIGH
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score7.8
CVSS 3 - Base SeverityHIGH
Exploitability Score1.8
Base SeverityHIGH

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationGnuGlibc2.19*******
    2.3ApplicationGnuGlibc2.20*******
    2.3ApplicationGnuGlibc2.21*******
    2.3ApplicationGnuGlibc2.22*******
    2.3ApplicationGnuGlibc2.23*******
    2.3ApplicationGnuGlibc2.25*******
    2.3ApplicationGnuGlibc2.26*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******
    2.3OSRedhatVirtualization4.0*******

Vulnerable Software List

VendorProductVersions
Redhat Enterprise Linux Workstation 7.0
Redhat Enterprise Linux Desktop 7.0
Redhat Virtualization 4.0
Redhat Enterprise Linux Server 7.0
Gnu Glibc 2.19, 2.20, 2.21, 2.22, 2.23, 2.25, 2.26

References

NameSourceURLTags
102228http://www.securityfocus.com/bid/102228BIDThird Party Advisory VDB Entry
RHBA-2019:0327https://access.redhat.com/errata/RHBA-2019:0327REDHATThird Party Advisory
RHSA-2018:3092https://access.redhat.com/errata/RHSA-2018:3092REDHATThird Party Advisory
https://bugs.debian.org/884615https://bugs.debian.org/884615CONFIRMIssue Tracking Mailing List Patch Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=22625https://sourceware.org/bugzilla/show_bug.cgi?id=22625CONFIRMIssue Tracking Patch Third Party Advisory
https://sourceware.org/ml/libc-alpha/2017-12/msg00528.htmlhttps://sourceware.org/ml/libc-alpha/2017-12/msg00528.htmlCONFIRMIssue Tracking Patch Third Party Advisory