CVE-2017-5123 – CVE-2017-5123 is a Linux kernel vulnerability i... (How to Fix)

Q: What is the severity of CVE-2017-5123?

CVE-2017-5123 has a CVSS score of 8.8 (HIGH). CVE-2017-5123 is a Linux kernel vulnerability in the waitid system call that allows insufficient data validation, enabling local privilege escalation. It allows attackers to escape sandboxes and containers to gain root privileges on affected systems. This affects Linux systems with unpatched kernels.

📋 TL;DR

CVE-2017-5123 is a Linux kernel vulnerability in the waitid system call that allows insufficient data validation, enabling local privilege escalation. It allows attackers to escape sandboxes and containers to gain root privileges on affected systems. This affects Linux systems with unpatched kernels.

💻 Affected Systems

Products:

Linux Kernel

Versions: Linux kernel versions before 4.13.4

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Linux distributions using kernel versions before 4.13.4. Container environments are particularly vulnerable as this allows container escape.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing complete control over the system, data theft, and persistence establishment.

🟠

Likely Case

Local privilege escalation from unprivileged user to root, enabling sandbox/container escape and system takeover.

🟢

If Mitigated

Limited impact if proper access controls, SELinux/AppArmor, and container isolation are in place, though kernel-level vulnerabilities remain serious.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Internal users with shell access can exploit this to gain root privileges and potentially move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available and relatively simple to execute. Requires local access to the system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 4.13.4 and later

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=96ca579a1ecc943b75beba58bebb0356f6cc4b51

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 4.13.4 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Restrict waitid system call

linux

Use seccomp to block the waitid system call in containers

Add waitid to seccomp filter deny list in container runtime configuration

User namespace restrictions

linux

Disable user namespace or restrict capabilities

sysctl -w kernel.unprivileged_userns_clone=0
capsh --drop=cap_sys_admin -- -c 'your_command'

🧯 If You Can't Patch

Implement strict access controls and limit shell access to trusted users only
Use container security features like seccomp profiles and capability dropping

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r and compare against 4.13.4

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 4.13.4 or later: uname -r

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts
Container escape attempts
Failed waitid system calls with unusual parameters

Network Indicators:

None - this is a local exploit

SIEM Query:

search 'kernel:.*waitid.*' OR 'privilege escalation' OR 'container escape' in system logs

📊 Metadata

CVE ID: CVE-2017-5123

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: November 2, 2021

Last Updated: November 21, 2024

🔗 References

https://crbug.com/772848 Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=96ca579a1ecc943b75beba58bebb0356f6cc4b51 Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20211223-0003/ Third Party Advisory
https://crbug.com/772848 Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=96ca579a1ecc943b75beba58bebb0356f6cc4b51 Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20211223-0003/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-5123, you might also want to check these: