The Linux kernel vulnerability found at the Zero Day Initiative’s Pwn2Own 2017 competition which aimed to hack Ubuntu has been patched.
This flaw was disclosed at the event itself by the researchers at Beijing-based enterprise security firm named Chaitin Tech. This exploit, which made the hackers $15,000, is part of the only attempt to break the Ubuntu at this year’s Pwn2Own competition.
This vulnerability is tracked as CVE-2017-7184 and it has been described as an out-of-bounds heap access vulnerability which can be exploited to cause a DoS(denial-of-service) condition or to execute an arbitrary code. Any local attacker can exploit this flaw to escalate the privileges on the system.
“The specific flaw which exists within the handling of xfrm states,” the ZDI explained in its advisory. “This issue results from lack of proper validation of the user-supplied data, this can result in a memory access past the end of allocated buffer.”
This vulnerability was addressed in Linux kernel a few days after the Pwn2Own has ended. The Ubuntu has released some fixes and other coming to other Linux distributions, they are working on patches of their own.
The Red Hat has classified it a “high severity,” but pointed out that this flaw cannot be exploited for the privilege escalation on default or on common configurations of the Red Hat Enterprise Linux 5, 6 and 7.
The VMware and Mozilla have also patched the Firefox and Workstation vulnerabilities which are disclosed at Pwn2Own, and the ZDI has made its advisories public for these security holes.
