Security Experts:

Linux Kernel Flaw Disclosed at Pwn2Own Patched

The Linux kernel vulnerability leveraged at the Zero Day Initiative’s Pwn2Own 2017 competition to hack Ubuntu has been patched.

The flaw was disclosed at the event by researchers at Beijing-based enterprise security firm Chaitin Tech. The exploit, which earned the hackers $15,000, was part of the only attempt to break Ubuntu at this year’s Pwn2Own.

The vulnerability, tracked as CVE-2017-7184, has been described as an out-of-bounds heap access weakness that can be exploited to cause a denial-of-service (DoS) condition or to execute arbitrary code. A local attacker can exploit the flaw to escalate privileges on the system.

“The specific flaw exists within the handling of xfrm states,” ZDI explained in its advisory. “The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer.”

The vulnerability was addressed in the Linux kernel a few days after Pwn2Own ended. Ubuntu has released fixes and other Linux distributions are working on patches as well.

Red Hat has classified it “high severity,” but pointed out that the flaw cannot be exploited for privilege escalation on default or common configurations of Red Hat Enterprise Linux 5, 6 and 7.

Mozilla and VMware have also patched the Firefox and Workstation vulnerabilities disclosed at Pwn2Own, and ZDI has made its advisories public for these security holes.

Related: Another Old Flaw Patched in Linux Kernel

Related: Code Execution Flaw Affected Linux Kernel Since 2005

Related: "Dirty COW" Linux Kernel Exploit Seen in the Wild

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.