Vulnerability CVE-2017-16539
Published: 2017-11-04

Description:
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

Type:

CWE-200

 (Information Exposure)

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial
Affected software
Mobyproject -> MOBY 

 References:
https://github.com/moby/moby/pull/35399
https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
https://marc.info/?l=linux-scsi&m=150985062200941&w=2
https://marc.info/?l=linux-scsi&m=150985455801444&w=2
https://twitter.com/ewindisch/status/926443521820774401
Copyright 2024, cxsecurity.com

 

Back to Top