CVE-2017-13166

Impact:
Important
Public Date:
2017-07-20
CWE:
CWE-266
Bugzilla:
1548412: CVE-2017-13166 kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation
A bug in the 32-bit compatibility layer of the ioctl handling code of the v4l2 video driver in the Linux kernel has been found. A memory protection mechanism ensuring that user-provided buffers always point to a userspace memory were disabled, allowing destination address to be in a kernel space. This flaw could be exploited by an attacker to overwrite a kernel memory from an unprivileged userspace process, leading to privilege escalation.

Find out more about CVE-2017-13166 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 7.8
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (kernel) RHSA-2018:1062 2018-04-10
Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt) RHSA-2018:0676 2018-04-10
Red Hat Enterprise Linux 6 (kernel) RHSA-2018:1319 2018-05-08
Red Hat MRG Grid for RHEL 6 Server v.2 (kernel-rt) RHSA-2018:1170 2018-04-17
Red Hat Enterprise Linux 7 (kernel-alt) RHSA-2018:2948 2018-10-30
Red Hat Enterprise Linux Extended Update Support 7.4 (kernel) RHSA-2018:1130 2018-04-17

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 8 kernel Not affected
Red Hat Enterprise Linux 5 kernel Will not fix

Mitigation

A systemtap script intercepting v4l2_compat_ioctl32() function of the [videodev] module and making it to return -ENOIOCTLCMD error value would work just fine, except breaking all 32bit video capturing software, but not 64bit ones.

Alternatively, blacklisting [videodev] module will work too, but it will break all video capturing software.

Last Modified