Think you have a false positive on this rule?

Sid 1-44637

Message

PROTOCOL-RPC Linux kernel nfsd nfsd4layoutverify out of bounds read attempt

Summary

This event is generated when Snort detects traffic exploiting an out of bounds read vulnerability in the Linux Kernel nfsd module.

Impact

Attempted Denial of Service

CVE-2017-8797:

CVSS base score 7.5

CVSS impact score 3.6

CVSS exploitability score 3.9

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Detailed information

CVE-2017-8797: The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. This value is used as an array index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system.

Affected systems

  • linux linux_kernel 4.11.2

Ease of attack

CVE-2017-8797:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • access.redhat.com/security/cve/cve-2017-8797