CVE-2017-1000366
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
Known Affected Software
47 configuration(s) from 6 vendor(s)
debian_linux
Version:
8.0
CPE:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debian_linux
Version:
9.0
CPE:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
suse_linux_enterprise_server
Version:
11.0
CPE:
cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp4:*:*:*:*:*:*
suse_linux_enterprise_point_of_sale
Version:
11.0
CPE:
cpe:2.3:o:novell:suse_linux_enterprise_point_of_sale:11.0:sp3:*:*:*:*:*:*
suse_linux_enterprise_desktop
Version:
12.0
CPE:
cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:-:*:*:*:*:*:*
cloud_magnum_orchestration
Version:
7
CPE:
cpe:2.3:a:openstack:cloud_magnum_orchestration:7:*:*:*:*:*:*:*
leap
Version:
42.2
CPE:
cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*
enterprise_linux_server_long_life
Version:
5.9
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_long_life:5.9:*:*:*:*:*:*:*
enterprise_linux
Version:
7.0
CPE:
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:intel64:*
enterprise_linux_server_aus
Version:
6.2
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:*:*:*:*:*:*:*
enterprise_linux_server_aus
Version:
5.9
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:5.9:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
7.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
enterprise_linux_workstation
Version:
7.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:x64:*
enterprise_linux_server_eus
Version:
7.3
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
enterprise_linux_server
Version:
6.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server:6.6:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
7.4
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
enterprise_linux
Version:
5
CPE:
cpe:2.3:o:redhat:enterprise_linux:5:unknown:server:*:*:*:*:*
enterprise_linux_server_aus
Version:
7.4
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
enterprise_linux_server
Version:
6.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:x86:*
enterprise_linux_server_tus
Version:
7.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
enterprise_linux_server_aus
Version:
6.4
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
6.7
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
6.2
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.2:*:*:*:*:*:*:*
enterprise_linux_server
Version:
7.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:x64:*
enterprise_linux_server_tus
Version:
7.2
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
6.5
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.5:*:*:*:*:*:*:*
enterprise_linux
Version:
6.0
CPE:
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:intel64:*
enterprise_linux_server_aus
Version:
7.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
enterprise_linux_server_aus
Version:
7.3
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
enterprise_linux_desktop
Version:
7.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:x64:*
enterprise_linux_server_eus
Version:
7.5
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
enterprise_linux_server_tus
Version:
6.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
enterprise_linux_server_aus
Version:
6.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
enterprise_linux_server_aus
Version:
7.2
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
enterprise_linux_desktop
Version:
6.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:x64:*
enterprise_linux_server_tus
Version:
7.3
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
enterprise_linux_server_tus
Version:
6.5
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
7.2
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*
enterprise_linux_server_aus
Version:
6.5
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
enterprise_linux_workstation
Version:
6.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:x86:*
linux_enterprise_for_sap
Version:
12
CPE:
cpe:2.3:o:suse:linux_enterprise_for_sap:12:sp1:*:*:*:*:*:*
linux_enterprise_server
Version:
10
CPE:
cpe:2.3:o:suse:linux_enterprise_server:10:-:*:*:*:*:*:*
linux_enterprise_software_development_kit
Version:
12.0
CPE:
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12.0:sp1:*:*:*:*:*:*
linux_enterprise_software_development_kit
Version:
11.0
CPE:
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11.0:sp3:*:*:*:*:*:*
linux_enterprise_server
Version:
12
CPE:
cpe:2.3:o:suse:linux_enterprise_server:12:sp5:*:*:-:*:*:*
linux_enterprise_server
Version:
11
CPE:
cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:-:*:*:*
linux_enterprise_server_for_raspberry_pi
Version:
12
CPE:
cpe:2.3:o:suse:linux_enterprise_server_for_raspberry_pi:12:sp2:*:*:*:*:*:*
This vulnerability affects 47 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.htmlcve@mitre.org
-
http://seclists.org/fulldisclosure/2019/Sep/7cve@mitre.org
-
http://www.debian.org/security/2017/dsa-3887cve@mitre.org Third Party Advisory
-
http://www.securityfocus.com/bid/99127cve@mitre.org Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1038712cve@mitre.org Third Party Advisory VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:1479cve@mitre.org Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1480cve@mitre.org Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1481cve@mitre.org Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1567cve@mitre.org Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1712cve@mitre.org Third Party Advisory
-
https://access.redhat.com/security/cve/CVE-2017-1000366cve@mitre.org Third Party Advisory
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10205cve@mitre.org Patch Third Party Advisory
-
https://seclists.org/bugtraq/2019/Sep/7cve@mitre.org
-
https://security.gentoo.org/glsa/201706-19cve@mitre.org Third Party Advisory
-
https://www.exploit-db.com/exploits/42274/cve@mitre.org Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/42275/cve@mitre.org Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/42276/cve@mitre.org Third Party Advisory VDB Entry
-
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txtcve@mitre.org Technical Description Third Party Advisory
-
https://www.suse.com/security/cve/CVE-2017-1000366/cve@mitre.org Third Party Advisory
-
https://www.suse.com/support/kb/doc/?id=7020973cve@mitre.org Third Party Advisory
-
http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://seclists.org/fulldisclosure/2019/Sep/7af854a3a-2127-422b-91ae-364da2661108
-
http://www.debian.org/security/2017/dsa-3887af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
http://www.securityfocus.com/bid/99127af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1038712af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:1479af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1480af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1481af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1567af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1712af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/security/cve/CVE-2017-1000366af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10205af854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
-
https://seclists.org/bugtraq/2019/Sep/7af854a3a-2127-422b-91ae-364da2661108
-
https://security.gentoo.org/glsa/201706-19af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://www.exploit-db.com/exploits/42274/af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/42275/af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/42276/af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txtaf854a3a-2127-422b-91ae-364da2661108 Technical Description Third Party Advisory
-
https://www.suse.com/security/cve/CVE-2017-1000366/af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://www.suse.com/support/kb/doc/?id=7020973af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-119
Top 25 #17
Improper Restriction of Operations within the Bounds of a Memory Buffer
- Description
- The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to…
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Class
Key Information
- Published Date
- June 19, 2017
