Login Sign Up

CVE-2017-18509

7.8 HIGH
Denial of Service

📋 TL;DR

This is a Linux kernel vulnerability in IPv6 multicast routing that allows attackers with root privileges or CAP_NET_ADMIN capability to trigger a general protection fault or potentially execute arbitrary code. It affects systems running Linux kernel versions before 4.11, particularly those using 4.9.x longterm kernels before 4.9.187. The vulnerability occurs due to missing sk_type and protocol validation in ip6_mroute_* functions.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Linux kernel versions before 4.11, specifically 4.9.x longterm kernels before 4.9.187
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires root access, CAP_NET_ADMIN capability, or namespace unsharing. Commonly exploitable in default LXC containers.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel-level code execution, potentially leading to full system compromise.

🟠

Likely Case

Kernel panic or denial of service through general protection fault, causing system instability or crashes.

🟢

If Mitigated

No impact if proper access controls prevent unauthorized users from gaining root or CAP_NET_ADMIN privileges.

🌐 Internet-Facing: LOW - Requires local access or existing compromise to exploit.
🏢 Internal Only: MEDIUM - Internal attackers with appropriate privileges could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access and appropriate privileges. Proof of concept available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 4.11 and later, or 4.9.187+ for longterm kernels

Vendor Advisory: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=99253eb750fda6a644d5188fb26c43bad8d5a745

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 4.11 or later. 2. For systems using 4.9.x longterm kernels, update to 4.9.187 or later. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Restrict CAP_NET_ADMIN capability

linux

Remove CAP_NET_ADMIN capability from non-privileged users and containers to limit attack surface.

setcap -r cap_net_admin /path/to/binary
docker run --cap-drop=NET_ADMIN ...

Disable IPv6 multicast routing

linux

Disable IPv6 multicast routing if not required for system functionality.

sysctl -w net.ipv6.conf.all.mc_forwarding=0
echo 0 > /proc/sys/net/ipv6/conf/all/mc_forwarding

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from gaining root or CAP_NET_ADMIN privileges
  • Isolate vulnerable systems in network segments and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is before 4.11 (or 4.9.x before 4.9.187), system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

After patching, verify kernel version is 4.11+ or 4.9.187+ with uname -r and ensure system stability.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • General protection fault errors in dmesg or system logs
  • Unexpected system crashes

Network Indicators:

  • Unusual IPv6 multicast routing configuration changes

SIEM Query:

source="kernel" AND ("general protection fault" OR "inet_csk_listen_stop" OR "ip6_mroute")

📊 Metadata

CVE ID: CVE-2017-18509
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: August 13, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-18509, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)