CVE-2023-4206

Use-after-free in Linux kernel's net/sched: cls_route component

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.

When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.

Una vulnerabilidad de use-after-free en el componente net/sched: cls_route del kernel de Linux se puede explotar para lograr una escalada de privilegios local. Cuando se llama a route4_change() en un filtro existente, toda la estructura tcf_result siempre se copia en la nueva instancia del filtro. Esto causa un problema al actualizar un filtro vinculado a una clase, ya que siempre se llama a tcf_unbind_filter() en la instancia anterior en la ruta exitosa, lo que disminuye filter_cnt de la clase a la que todavía se hace referencia y permite que se elimine, lo que lleva a un use-after-free. Recomendamos actualizar al commit anterior b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.

There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208.
A local user could use any of these flaws to crash the system or potentially escalate their privileges on the system.

Similar CVE-2023-4128 was rejected as a duplicate.

*Credits: valis, Bing-Jhong Billy Jheng

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-07 CVE Reserved
2023-09-06 CVE Published
2023-09-12 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

CAPEC-233: Privilege Escalation

References (6)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html	Mailing List
https://www.debian.org/security/2023/dsa-5492	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8	2024-02-15
https://kernel.dance/b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8	2024-02-15

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-4206	2024-01-16
https://bugzilla.redhat.com/show_bug.cgi?id=2225511	2024-01-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.18 < 4.14.322 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.18 < 4.14.322"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 4.19.291 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.291"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.4.253 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.253"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.10.190 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.190"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.15.126 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.126"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16 < 6.1.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.1.45"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.4.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.4.10"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected