CVE-2023-35001 – Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability
https://notcve.org/view.php?id=CVE-2023-35001
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace Vulnerabilidad de Lectura/Escritura en nftables Fuera de los Límites del kernel de Linux; nft_byteorder administra incorrectamente los contenidos de registro de VM cuando CAP_NET_ADMIN está en cualquier espacio de nombres de usuario o red An out-of-bounds (OOB) memory access flaw was found in the Netfilter module in the Linux kernel's nft_byteorder_eval in net/netfilter/nft_byteorder.c. A bound check failure allows a local attacker with CAP_NET_ADMIN access to cause a local privilege escalation issue due to incorrect data alignment. This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the processing of nft chains. The issue results from incorrect pointer scaling, which can result in a memory access past the end of an array. • https://github.com/synacktiv/CVE-2023-35001 https://github.com/syedhafiz1234/nftables-oob-read-write-exploit-CVE-2023-35001- http://packetstormsecurity.com/files/173757/Kernel-Live-Patch-Security-Notice-LSN-0096-1.html http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html http://www.openwall.com/lists/oss-security/2023/07/05/3 https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html https://lists.debian.org/debian-lts-announce/2024/01/m • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2023-3390 – Use-after-free in Linux kernel's netfilter subsystem
https://notcve.org/view.php?id=CVE-2023-3390
A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. Se encontró una vulnerabilidad de use-after-free en el subsistema netfilter del kernel de Linux en net/netfilter/nf_tables_api.c. El manejo de errores mal manejado con NFT_MSG_NEWRULE permite usar un puntero colgante en la misma transacción que causa una vulnerabilidad de use-after-free. Esta falla permite que un atacante local con acceso de usuario cause un problema de escalada de privilegios. • http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97 https://kernel.dance/1240eb93f0616b21c675416516ff3d74798fdc97 https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://security.netapp.com/advisory/ntap-20230818-0004 https://www.debian.org/security/2023/dsa-5448 https • CWE-416: Use After Free •
CVE-2023-1295 – Privilege escalation with IO_RING_OP_CLOSE in the Linux Kernel
https://notcve.org/view.php?id=CVE-2023-1295
A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93. • https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9eac1904d3364254d622bf2c771c4f85cd435fc2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb https://kernel.dance/788d0824269bef539fe31a785b1517882eafed93 https://kernel.dance/9eac1904d3364254d622bf2c771c4f85cd435fc2 https://security.netapp.com/advisory/ntap-20230731-0006 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2023-3212 – kernel: gfs2: NULL pointer dereference in gfs2_evict_inode()
https://notcve.org/view.php?id=CVE-2023-3212
A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic. A NULL pointer dereference flaw was found in the gfs2 file system in the Linux kernel. This issue occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. • https://bugzilla.redhat.com/show_bug.cgi?id=2214348 https://github.com/torvalds/linux/commit/504a10d9e46bc37b23d0a1ae2f28973c8516e636 https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://security.netapp.com/advisory/ntap-20230929-0005 https://www.debian.org/security/2023/dsa-5448 https://www.debian.org/security/2023/dsa-5480 https://access.redhat.com/security/cve/CVE-2023-3212 • CWE-476: NULL Pointer Dereference •
CVE-2023-2911 – Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0
https://notcve.org/view.php?id=CVE-2023-2911
If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-timeout 0;`, a sequence of serve-stale-related lookups could cause `named` to loop and terminate unexpectedly due to a stack overflow. This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1. • http://www.openwall.com/lists/oss-security/2023/06/21/6 https://kb.isc.org/docs/cve-2023-2911 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SEFCEVCTYEMKTWA7V7EYPI5YQQ4JWDLI https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3K6AJK7RRSR53HRF5GGKPA6PDUDWOD2 https://security.netapp.com/advisory/ntap-20230703-0010 https://www.debian.org/security/2023/dsa-5439 • CWE-787: Out-of-bounds Write •