CVE-2017-5967

Vulnerability

In the Linux kernel through version 4.9.9, when the CONFIG_TIMER_STATS configuration option is enabled, the /proc/timer_list file exposes real process ID (PID) values. The vulnerability resides in the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c. These functions do not properly namespace the PID information, leaking the global PID instead of the PID within the container or namespace.

Exploitation

An attacker with local access to the system can read the /proc/timer_list file. No special privileges are required beyond the ability to read that file, which is typically world-readable. By parsing the output, the attacker can obtain the real PID values of processes, even if they are running in a different PID namespace.

Impact

The attacker gains information disclosure: the real PID values of processes, which are normally hidden inside PID namespaces. This can aid in further attacks by revealing process relationships or allowing the attacker to identify specific processes that might be targeted for privilege escalation or other exploits.

Mitigation

Not yet disclosed in the available references. The vulnerability exists in Linux kernel through version 4.9.9; users should apply kernel updates from their distribution if a fix is available. Disabling CONFIG_TIMER_STATS in the kernel configuration prevents the exposure. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.