Lucene search

[email protected]NVD:CVE-2017-1000366

HistoryJun 19, 2017 - 4:29 p.m.

CVE-2017-1000366

2017-06-1916:29:00

CWE-119

[email protected]

web.nvd.nist.gov

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.0%

JSON

glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.

Affected configurations

NVD

Node

redhatenterprise_linuxMatch5server

redhatenterprise_linuxMatch6.0

redhatenterprise_linuxMatch7.0

redhatenterprise_linux_desktopMatch6.0

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_serverMatch6.6

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_server_ausMatch5.9

redhatenterprise_linux_server_ausMatch6.2

redhatenterprise_linux_server_ausMatch6.4

redhatenterprise_linux_server_ausMatch6.5

redhatenterprise_linux_server_ausMatch6.6

redhatenterprise_linux_server_ausMatch7.2

redhatenterprise_linux_server_ausMatch7.3

redhatenterprise_linux_server_ausMatch7.4

redhatenterprise_linux_server_ausMatch7.6

redhatenterprise_linux_server_eusMatch6.2

redhatenterprise_linux_server_eusMatch6.5

redhatenterprise_linux_server_eusMatch6.7

redhatenterprise_linux_server_eusMatch7.2

redhatenterprise_linux_server_eusMatch7.3

redhatenterprise_linux_server_eusMatch7.4

redhatenterprise_linux_server_eusMatch7.5

redhatenterprise_linux_server_eusMatch7.6

redhatenterprise_linux_server_long_lifeMatch5.9

redhatenterprise_linux_server_tusMatch6.5

redhatenterprise_linux_server_tusMatch6.6

redhatenterprise_linux_server_tusMatch7.2

redhatenterprise_linux_server_tusMatch7.3

redhatenterprise_linux_server_tusMatch7.6

redhatenterprise_linux_workstationMatch6.0

redhatenterprise_linux_workstationMatch7.0

Node

openstackcloud_magnum_orchestrationMatch7

novellsuse_linux_enterprise_desktopMatch12.0sp2

novellsuse_linux_enterprise_point_of_saleMatch11.0sp3

novellsuse_linux_enterprise_serverMatch11.0sp3ltss

opensuseleapMatch42.2

suselinux_enterprise_for_sapMatch12sp1

suselinux_enterprise_serverMatch10sp4ltss

suselinux_enterprise_serverMatch11sp4

suselinux_enterprise_serverMatch12sp1ltss

suselinux_enterprise_serverMatch12sp2

suselinux_enterprise_serverMatch12sp2ltss

suselinux_enterprise_server_for_raspberry_piMatch12sp2

suselinux_enterprise_software_development_kitMatch11.0sp4

suselinux_enterprise_software_development_kitMatch12.0sp2

Node

gnuglibcRange≤2.25

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

Node

mcafeeweb_gatewayRange≤7.6.2.14

mcafeeweb_gatewayRange7.7.0.0–7.7.2.2

References

packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html

seclists.org/fulldisclosure/2019/Sep/7

www.debian.org/security/2017/dsa-3887

www.securityfocus.com/bid/99127

www.securitytracker.com/id/1038712

access.redhat.com/errata/RHSA-2017:1479

access.redhat.com/errata/RHSA-2017:1480

access.redhat.com/errata/RHSA-2017:1481

access.redhat.com/errata/RHSA-2017:1567

access.redhat.com/errata/RHSA-2017:1712

access.redhat.com/security/cve/CVE-2017-1000366

kc.mcafee.com/corporate/index?page=content&id=SB10205

seclists.org/bugtraq/2019/Sep/7

security.gentoo.org/glsa/201706-19

www.exploit-db.com/exploits/42274/

www.exploit-db.com/exploits/42275/

www.exploit-db.com/exploits/42276/

www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

www.suse.com/security/cve/CVE-2017-1000366/

www.suse.com/support/kb/doc/?id=7020973

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.0%

JSON

Related for NVD:CVE-2017-1000366