CVE-2017-7480 – CVE-2017-7480 is a critical vulnerability in rk... (How to Fix)

Q: What is the severity of CVE-2017-7480?

CVE-2017-7480 has a CVSS score of 9.8 (CRITICAL). CVE-2017-7480 is a critical vulnerability in rkhunter (Rootkit Hunter) versions before 1.4.4 that allows attackers to execute arbitrary code on affected systems. The vulnerability occurs when rkhunter downloads mirror updates over insecure HTTP connections without proper validation, enabling man-in-the-middle attacks. Any system running vulnerable rkhunter versions is affected, particularly Linux/Unix systems using this security tool.

📋 TL;DR

CVE-2017-7480 is a critical vulnerability in rkhunter (Rootkit Hunter) versions before 1.4.4 that allows attackers to execute arbitrary code on affected systems. The vulnerability occurs when rkhunter downloads mirror updates over insecure HTTP connections without proper validation, enabling man-in-the-middle attacks. Any system running vulnerable rkhunter versions is affected, particularly Linux/Unix systems using this security tool.

💻 Affected Systems

Products:

rkhunter (Rootkit Hunter)

Versions: All versions before 1.4.4

Operating Systems: Linux, Unix, BSD variants

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when rkhunter is configured to update its mirror database (default behavior). Systems not performing updates are less vulnerable.

📦 What is this software?

Rootkit Hunter by Rootkit Hunter Project

View all CVEs affecting Rootkit Hunter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing attackers to install backdoors, steal sensitive data, or pivot to other systems in the network.

🟠

Likely Case

Remote code execution with the privileges of the user running rkhunter (often root), leading to system takeover and persistence.

🟢

If Mitigated

Limited impact if network controls prevent man-in-the-middle attacks or if rkhunter updates are disabled.

🌐 Internet-Facing: MEDIUM - Requires man-in-the-middle position or ability to redirect HTTP traffic, but rkhunter typically runs on internal systems.

🏢 Internal Only: HIGH - Internal attackers or compromised systems could exploit this to escalate privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires man-in-the-middle position or ability to redirect HTTP traffic to attacker-controlled server. Proof of concept exists in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.4 and later

Vendor Advisory: http://seclists.org/oss-sec/2017/q2/643

Restart Required: No

Instructions:

1. Update rkhunter to version 1.4.4 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install rkhunter. 3. For RHEL/CentOS: sudo yum update rkhunter. 4. For manual installation: Download from https://sourceforge.net/projects/rkhunter/ and follow installation instructions.

🔧 Temporary Workarounds

Disable automatic updates

linux

Prevent rkhunter from downloading mirror updates over insecure channels

Edit /etc/rkhunter.conf and set UPDATE_MIRRORS=0
Or run: sudo sed -i 's/UPDATE_MIRRORS=1/UPDATE_MIRRORS=0/' /etc/rkhunter.conf

Use local mirror only

linux

Configure rkhunter to use a trusted local mirror instead of downloading updates

Edit /etc/rkhunter.conf and set MIRRORS_MODE=1
Configure LOCAL_MIRROR_DIR to point to trusted local mirror

🧯 If You Can't Patch

Disable rkhunter updates completely by setting UPDATE_MIRRORS=0 in configuration
Implement network controls to prevent HTTP traffic redirection and man-in-the-middle attacks

🔍 How to Verify

Check if Vulnerable:

Check rkhunter version: rkhunter --version | grep 'Rootkit Hunter'

Check Version:

rkhunter --version | grep 'Rootkit Hunter'

Verify Fix Applied:

Verify version is 1.4.4 or later: rkhunter --version | grep -E '1\.4\.[4-9]|1\.[5-9]'

📡 Detection & Monitoring

Log Indicators:

Unusual rkhunter update failures
HTTP connections to unexpected domains during rkhunter updates
Suspicious processes spawned by rkhunter

Network Indicators:

HTTP traffic to non-standard domains during rkhunter execution
DNS requests for suspicious domains from systems running rkhunter

SIEM Query:

process:rkhunter AND (network.http OR network.dns) AND NOT destination.domain IN (trusted_domains)

📊 Metadata

CVE ID: CVE-2017-7480

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-300

Published: July 21, 2017

Last Updated: April 20, 2025

🔗 References

http://seclists.org/oss-sec/2017/q2/643 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201805-11 Third Party Advisory
http://seclists.org/oss-sec/2017/q2/643 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201805-11 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-7480, you might also want to check these: