edit-icon download-icon

[Vulnerability notice] "Phoenix Talon" Linux kernel vulnerabilities

Last Updated: Mar 19, 2018

Recently, a series of remote code execution vulnerabilities named “Phoenix Talon” are discovered in the Linux kernel. One of these vulnerabilities is rated critical, and the other three are rated high.

The four vulnerabilities affect all kernel versions from Linux kernel 2.5.69 to 4.11. These vulnerabilities can be exploited to initiate DoS attacks or run code remotely. Transport-layer protocols TCP, DCCP, and SCTP and network-layer protocols IPv4 and IPv6 are all affected by these vulnerabilities.

See the following for more information about the vulnerability.


CVE identifier

  • CVE-2017-8890
  • CVE-2017-9075
  • CVE-2017-9076
  • CVE-2017-9077

Vulnerability name

“Phoenix Talon” Linux kernel vulnerabilities

Official rating

  • CVE-2017-8890: Critical
  • CVE-2017-9075: High
  • CVE-2017-9076: High
  • CVE-2017-9077: High

Vulnerability description

  • CVE-2017-8890

    In Linux kernel versions later than 4.10.15, the inet_csk_clone_lock function in the net/ipv4/inet_connection_sock.c file enables attackers to initiate DoS (double free) attacks or call the accept() function to bring other impacts to the system.

    As the most severe one among the four vulnerabilities, this vulnerability causes double-free attacks essentially. Attackers can trigger this vulnerability by using the MCAST_JOIN_GROUP option in the setsockopt() function and calling the accept() function.

  • CVE-2017-9075, CVE-2017-9076, and CVE-2017-9077

    In Linux kernel versions later than 4.11.1, inheritance of the sctp_v6_create_accept_sk function in the net/sctp/ipv6.c file is not properly processed. As a result, local users can initiate DoS attacks or bring other impacts through special system calls. This vulnerability relates to vulnerability CVE-2017-8890.

Condition and method of exploitation

CVE Method of exploitation
CVE-2017-8890 Remote exploitation.
This vulnerability can be remotely exploited to initiate DoS attacks only when the target host can receive multicast packets. The multicast function is effective only when the multicast mode is enabled on a switch. This mode is disabled on a switch by default.
CVE-2017-9075
CVE-2017-9076
CVE-2017-9077
Local

Affected scope

Linux kernel 2.5.69 to 4.11

Vulnerability detection

None

How to fix or mitigate

The vendor has released patches to fix these security issues. We recommend that you use yum update kernel or sudo apt-get update && sudo apt-get upgrade to upgrade the kernel.

Note: Before you perform the upgrade in the service production environment, you must create snapshots and test the integrity of the upgrade process.

Reference

[1]. http://www.openwall.com/lists/oss-security/2017/05/30/24

Thank you! We've received your feedback.