Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Linux Kernel Flaw Disclosed at Pwn2Own Patched

The Linux kernel vulnerability leveraged at the Zero Day Initiative’s Pwn2Own 2017 competition to hack Ubuntu has been patched.

The Linux kernel vulnerability leveraged at the Zero Day Initiative’s Pwn2Own 2017 competition to hack Ubuntu has been patched.

The flaw was disclosed at the event by researchers at Beijing-based enterprise security firm Chaitin Tech. The exploit, which earned the hackers $15,000, was part of the only attempt to break Ubuntu at this year’s Pwn2Own.

The vulnerability, tracked as CVE-2017-7184, has been described as an out-of-bounds heap access weakness that can be exploited to cause a denial-of-service (DoS) condition or to execute arbitrary code. A local attacker can exploit the flaw to escalate privileges on the system.

“The specific flaw exists within the handling of xfrm states,” ZDI explained in its advisory. “The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer.”

The vulnerability was addressed in the Linux kernel a few days after Pwn2Own ended. Ubuntu has released fixes and other Linux distributions are working on patches as well.

Red Hat has classified it “high severity,” but pointed out that the flaw cannot be exploited for privilege escalation on default or common configurations of Red Hat Enterprise Linux 5, 6 and 7.

Mozilla and VMware have also patched the Firefox and Workstation vulnerabilities disclosed at Pwn2Own, and ZDI has made its advisories public for these security holes.

Related: Another Old Flaw Patched in Linux Kernel

Advertisement. Scroll to continue reading.

Related: Code Execution Flaw Affected Linux Kernel Since 2005

Related: “Dirty COW” Linux Kernel Exploit Seen in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.