Cyber Resilience

CVE-2017-1000253

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 05 October 2017

Published
05 October 2017
Modified
21 April 2026
KEV Added
09 September 2024
Patch
26 September 2017
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5727 98.2th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-1000253 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Centos Centos. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

The vulnerability is a memory mapping flaw in the Linux kernel's ELF loader affecting long-term supported kernels that lack the fix from commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (originally merged in April 2015 and backported to 3.10.77 in May 2015). When CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE is enabled along with standard top-down address allocation, load_elf_binary() places the first PT_LOAD segment of a PIE binary below mm->mmap_base but maps subsequent segments above it into the intended gap between the stack and the binary image. This issue was not initially treated as a security problem despite the incorrect layout.

A local attacker with the ability to execute a PIE binary can trigger the faulty mapping, resulting in memory corruption that yields high impact on confidentiality, integrity, and availability as reflected in the CVSS 7.8 score and CWE-119 classification.

Red Hat security advisories RHSA-2017:2793, RHSA-2017:2794, and RHSA-2017:2795, along with related trackers, address the issue through updated kernel packages that incorporate the 2015 mapping correction for affected distributions.

EU & UK References

Vulnerability details

Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as…

more

a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.

CWE(s)
KEV Date Added
09 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

centos
centos
6.0, 6.1, 6.2, 6.3, 6.4
redhat
enterprise linux
6.0, 6.1, 6.2, 6.3, 6.4
linux
linux kernel
2.6.25 — 3.2.70 · 3.3 — 3.4.109 · 3.5 — 3.10.77

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the kernel patch that corrects load_elf_binary() PT_LOAD segment placement for PIE binaries.

prevent

Enforces memory-protection safeguards that block the unauthorized memory corruption resulting from the faulty ELF mapping.

prevent

Maintains separate per-process execution domains, countering the address-space layout violation that places segments into the stack gap.

References