CVE-2017-1000410
Published: 7 December 2017
The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes).
From the Ubuntu Security Team
It was discovered that an information leak vulnerability existed in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could possibly expose sensitive information (kernel memory).
Priority
Status
Package | Release | Status |
---|---|---|
linux Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(4.13.0-11.12)
|
bionic |
Not vulnerable
(4.15.0-10.11)
|
|
cosmic |
Not vulnerable
(4.15.0-20.21)
|
|
precise |
Ignored
(was needs-triage ESM criteria)
|
|
trusty |
Released
(3.13.0-168.218)
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.4.0-119.143)
|
|
zesty |
Released
(4.10.0-35.39)
|
|
Patches: Introduced by 42dceae2819b5ac6fc9a0d414ae05a8960e2a1d9 Introduced by 66af7aaf9edff55b7995bbe1ff508513666d0671 |
||
linux-armadaxp Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
This package is not directly supported by the Ubuntu Security Team | ||
linux-aws Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Not vulnerable
(4.15.0-1001.1)
|
|
cosmic |
Not vulnerable
(4.15.0-1007.7)
|
|
precise |
Does not exist
|
|
trusty |
Released
(4.4.0-1016.16)
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.4.0-1054.63)
|
|
zesty |
Does not exist
|
|
linux-aws-hwe Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Not vulnerable
(4.15.0-1030.31~16.04.1)
|
|
linux-azure Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Not vulnerable
(4.15.0-1002.2)
|
|
cosmic |
Not vulnerable
(4.15.0-1009.9)
|
|
precise |
Does not exist
|
|
trusty |
Not vulnerable
(4.15.0-1023.24~14.04.1)
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.15.0-1013.13~16.04.2)
|
|
zesty |
Does not exist
|
|
linux-azure-edge Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1002.2)
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.15.0-1013.13~16.04.2)
|
|
linux-euclid Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Ignored
(was needs-triage ESM criteria)
|
|
zesty |
Does not exist
|
|
linux-flo Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Ignored
(abandoned)
|
|
zesty |
Does not exist
|
|
linux-gcp Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Not vulnerable
(4.15.0-1001.1)
|
|
cosmic |
Not vulnerable
(4.15.0-1006.6)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.15.0-1014.14~16.04.1)
|
|
zesty |
Does not exist
|
|
linux-gcp-edge Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.18.0-1004.5~18.04.1)
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
linux-gke Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.4.0-1031.31)
|
|
zesty |
Does not exist
|
|
linux-goldfish Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Ignored
(was needed now end-of-life)
|
|
zesty |
Ignored
(reached end-of-life)
|
|
linux-grouper Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-hwe Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Not vulnerable
(4.18.0-13.14~18.04.1)
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.15.0-24.26~16.04.1)
|
|
zesty |
Does not exist
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Not vulnerable
(5.0.0-8.9~18.04.1)
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.15.0-24.26~16.04.1)
|
|
zesty |
Does not exist
|
|
linux-kvm Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Not vulnerable
(4.15.0-1002.2)
|
|
cosmic |
Not vulnerable
(4.15.0-1008.8)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.4.0-1020.25)
|
|
zesty |
Does not exist
|
|
linux-linaro-omap Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-linaro-shared Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-linaro-vexpress Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-quantal Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Ignored
(end-of-life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
This package is not directly supported by the Ubuntu Security Team | ||
linux-lts-raring Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Ignored
(end-of-life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-saucy Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Ignored
(end-of-life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
This package is not directly supported by the Ubuntu Security Team | ||
linux-lts-trusty Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Released
(3.13.0-168.218~precise1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-utopic Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [out of standard support])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-vivid Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [was needs-triage now end-of-life])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-wily Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [out of standard support])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Released
(4.4.0-119.143~14.04.1)
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-maguro Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-mako Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Ignored
(abandoned)
|
|
zesty |
Does not exist
|
|
linux-manta Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-oem Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Not vulnerable
(4.15.0-1002.3)
|
|
cosmic |
Not vulnerable
(4.15.0-1004.5)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Not vulnerable
(4.13.0-1008.9)
|
|
zesty |
Does not exist
|
|
linux-oracle Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1007.9)
|
cosmic |
Not vulnerable
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Not vulnerable
(4.15.0-1007.9~16.04.1)
|
|
linux-qcm-msm Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(4.10.0-1018.21)
|
bionic |
Not vulnerable
(4.15.0-1006.7)
|
|
cosmic |
Not vulnerable
(4.15.0-1010.11)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.4.0-1086.94)
|
|
zesty |
Released
(4.10.0-1018.21)
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(4.4.0-1076.81)
|
bionic |
Not vulnerable
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Released
(4.4.0-1088.93)
|
|
zesty |
Released
(4.4.0-1076.81)
|
|
linux-ti-omap4 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc8)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |