CVE-2017-17562
Published: 12 December 2017
Summary
CVE-2017-17562 is a high-severity an unspecified weakness vulnerability in Oracle Integrated Lights Out Manager. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
Embedthis GoAhead versions before 3.6.5 contain a remote code execution vulnerability that manifests when CGI support is enabled and CGI programs are dynamically linked. The root cause is in the cgiHandler function in cgi.c, which populates the environment of forked CGI scripts from untrusted HTTP request parameters without sanitization. When the target process uses the glibc dynamic linker, specially named parameters such as LD_PRELOAD can be supplied to load attacker-controlled code.
An unauthenticated remote attacker can exploit the flaw over the network by sending an HTTP request that includes a malicious shared-object payload in the POST body and references that payload via /proc/self/fd/0 in the crafted environment variable. Successful exploitation grants arbitrary code execution with the privileges of the CGI process, corresponding to a CVSS 3.1 base score of 8.1.
Public references point to an upstream commit that addresses the issue and to Oracle’s April 2018 Critical Patch Update, which includes remediation guidance for affected Oracle products that embed GoAhead. The project issue tracker and security advisory repositories further recommend upgrading to version 3.6.5 or later and disabling CGI when it is not required.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-8720
Vulnerability details
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function…
more
in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
- CWE(s)
- KEV Date Added
- 10 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted HTTP request parameters before they are used to populate the CGI process environment, blocking injection of LD_PRELOAD and similar variables.
Requires disabling or restricting CGI functionality when it is not essential, eliminating the code path that unsafely inherits request parameters into the forked process environment.
Mandates timely application of the vendor patch (upgrade to GoAhead 3.6.5+) that removes the unsafe environment initialization in cgiHandler.