Security Finder

You can use the Security Finder to search for security issues and their impact on Riverbed products. This page is continuously updated, displaying the most current public security issues first. The search box can be used to look up records by specific CVE numbers or relevant search word, e.g. Apache, 8.5.0, Workaround. For additional search tips, refer to article S16165. Security issues listed here are categorized into three groups: fixed, workaround recommended and not applicable.

For general security topics, security best practices and other security related topics, try performing a general search.

BETA FEATURE: This feature is currently under development and is considered Beta Software. We are still enhancing the features and results so please exercise caution when interpreting and implementing the results. If you have any questions, please open a case with Riverbed Support. If you have feedback for this tool, please send it to supportfeedback@riverbed.com.

Riverbed Technology is committed to protecting customers against vulnerabilities in our supported products. Vulnerabilities are addressed in accordance to the software support policy. https://support.riverbed.com/content/support/about_support/end_of_life_policy.html

For search tips, read article S16165.

CVE-2017-1000253: kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary. (Bug #291697)

Product

SteelHead (Appliance)

Fixed in Version:

steelhead 9.8.0, steelhead 9.6.3

Last Modified:

2020-08-11

Summary

Details:
With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE
binary into an address range immediately below mm->mmap_base.

Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.

Since the size of the "gap" on x86_64 is only guaranteed to be 128 MB, this means that binaries with large data segments > 128 MB can end up mapping
part of their data segment over their stack resulting in corruption of the stack (and the data segment once the binary starts to run).

Any PIE binary with a data segment greater than 128 MB is vulnerable to this, although address randomization means that the actual gap between the stack and the end of the binary is normally greater than 128 MB. The larger the data segment of the binary, the higher the probability of failure.

Fix: 
Patched kernel with vendor-provided fix available at https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a87938b2e246b81b4fb713edb371a9fa3c5c3c86.

Recommendation: 
Upgrade to a software version with this fix.