CVE-2016-4997
Published: 24 June 2016
The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
From the Ubuntu security team
Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
Priority
High
CVSS 3 base score: 7.8
Status
| Package | Release | Status |
|---|---|---|
|
linux Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(4.4.0-28.47)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(3.13.0-91.138)
|
|
|
Patches: Introduced by 2722971cbe831117686039d5c334f2c0f560be13 Fixed by ce683e5f9d045e5d67d1312a42b359cb2ab2a13c Introduced by 2722971cbe831117686039d5c334f2c0f560be13 Fixed by 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91 Introduced by 2722971cbe831117686039d5c334f2c0f560be13 Fixed by bdf533de6968e9686df777dc178486f600c6e617 |
||
|
linux-armadaxp Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-aws Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.4.0-1001.10)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(4.4.0-1002.2)
|
|
|
linux-azure Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.11.0-1009.9)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(4.15.0-1023.24~14.04.1)
|
|
|
linux-euclid Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.4.0-9019.20)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-flo Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(abandoned)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was ignored)
|
|
|
linux-gcp Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.10.0-1004.4)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-gke Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.4.0-1003.3)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-goldfish Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(abandoned)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was ignored)
|
|
|
linux-grouper Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was ignored)
|
|
|
linux-hwe Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.8.0-36.36~16.04.1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.8.0-36.36~16.04.1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-kvm Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.4.0-1004.9)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-linaro-omap Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-linaro-shared Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-linaro-vexpress Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-lts-quantal Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-lts-raring Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-lts-saucy Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-lts-utopic Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [3.16.0-76.98~14.04.1])
|
|
|
linux-lts-vivid Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [3.19.0-64.72~14.04.1])
|
|
|
linux-lts-wily Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [4.2.0-41.48~14.04.1])
|
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(4.4.0-28.47~14.04.1)
|
|
|
linux-maguro Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was ignored)
|
|
|
linux-mako Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(abandoned)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was ignored)
|
|
|
linux-manta Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was ignored)
|
|
|
linux-oem Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(4.13.0-1008.9)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-qcm-msm Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(4.4.0-1016.22)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(4.4.0-1019.22)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
linux-ti-omap4 Launchpad, Ubuntu, Debian |
Upstream |
Released
(4.7~rc1)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
Notes
| Author | Note |
|---|---|
| jdstrand | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support |
| sbeattie | priority is negligible on precise's 3.2 kernels, as user namespaces are a privileged operation there. For xenial and linux-lts-xenial on trusty, this can be mitigated against by setting the kernel.unprivileged_userns_clone sysctl to 0 to disable userns support. When we fix the netfilter issue we will also add this sysctl to all other supported kernels to allow disabling unprivileged user namespaces. Disabling user namespace may impact chromium-browser, lxc, lxd, docker, and other tools. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4997
- https://marc.info/?l=oss-security&m=146679591706851&w=2
- https://ubuntu.com/security/notices/USN-3016-1
- https://ubuntu.com/security/notices/USN-3016-2
- https://ubuntu.com/security/notices/USN-3017-1
- https://ubuntu.com/security/notices/USN-3017-3
- https://ubuntu.com/security/notices/USN-3016-3
- https://ubuntu.com/security/notices/USN-3016-4
- https://ubuntu.com/security/notices/USN-3017-2
- https://ubuntu.com/security/notices/USN-3020-1
- https://ubuntu.com/security/notices/USN-3018-2
- https://ubuntu.com/security/notices/USN-3018-1
- https://ubuntu.com/security/notices/USN-3019-1
- https://ubuntu.com/security/notices/USN-3338-1
- NVD
- Launchpad
- Debian