CVE-2023-4207

Use-after-free in Linux kernel's net/sched: cls_fw component

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.

When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.

Se puede explotar una vulnerabilidad de use-after-free en el componente Linux kernel's net/sched: cls_fw para conseguir una escalada local de privilegios. Cuando se llama a fw_change() en un filtro existente, toda la estructura tcf_result se copia siempre en la nueva instancia del filtro.Esto causa un problema cuando se actualiza un filtro vinculado a una clase, ya que tcf_unbind_filter() siempre llama a la instancia antigua en la ruta de éxito, disminuyendo filter_cnt de la clase aún referenciada y permitiendo que se elimine, lo que lleva a un Use After Free. Recomendamos actualizar el commit a partir de 76e42ae831991c828cffa8c37736ebfb831ad5ec.

There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208.
A local user could use any of these flaws to crash the system or potentially escalate their privileges on the system.

Similar CVE-2023-4128 was rejected as a duplicate.

*Credits: valis, Bing-Jhong Billy Jheng

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-07 CVE Reserved
2023-09-06 CVE Published
2023-09-12 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

CAPEC-233: Privilege Escalation

References (6)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html	Mailing List
https://www.debian.org/security/2023/dsa-5492	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76e42ae831991c828cffa8c37736ebfb831ad5ec	2024-02-05
https://kernel.dance/76e42ae831991c828cffa8c37736ebfb831ad5ec	2024-02-05

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-4207	2024-01-16
https://bugzilla.redhat.com/show_bug.cgi?id=2225511	2024-01-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.18 < 4.14.326 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.18 < 4.14.326"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 4.19.295 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.295"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.4.253 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.253"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.10.190 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.190"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.15.126 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.126"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16 < 6.1.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.1.45"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.4.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.4.10"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected