Vulnerability Name:

CVE-2017-1000405

Assigned:2017-11-29
Published:2017-11-30
Updated:2017-12-05
Summary:The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
CVSS v3 Severity:8.4 High (CCN CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.6 High (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
References:Source: BID
Type: UNKNOWN
102032

Source: XF
Type: UNKNOWN
linux-kernel-cve20171000405-priv-esc(135719)

Source: MISC
Type: UNKNOWN
https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0

Source: EXPLOIT-DB
Type: UNKNOWN
43199

Vulnerable Configuration:
Configuration CCN 1:
  • cpe:/o:linux:kernel:2.6.0:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20171000405
    V
    CVE-2017-1000405
    2017-12-15
    oval:com.ubuntu.xenial:def:20171000405000
    V
    CVE-2017-1000405 on Ubuntu 16.04 LTS (xenial) - high.
    2017-11-30
    oval:com.ubuntu.trusty:def:20171000405000
    V
    CVE-2017-1000405 on Ubuntu 14.04 LTS (trusty) - high.
    2017-11-30
    BACK