CVE-2023-4207
Use-after-free in Linux kernel's net/sched: cls_fw component
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.
When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.
Se puede explotar una vulnerabilidad de use-after-free en el componente Linux kernel's net/sched: cls_fw para conseguir una escalada local de privilegios. Cuando se llama a fw_change() en un filtro existente, toda la estructura tcf_result se copia siempre en la nueva instancia del filtro.Esto causa un problema cuando se actualiza un filtro vinculado a una clase, ya que tcf_unbind_filter() siempre llama a la instancia antigua en la ruta de éxito, disminuyendo filter_cnt de la clase aún referenciada y permitiendo que se elimine, lo que lleva a un Use After Free. Recomendamos actualizar el commit a partir de 76e42ae831991c828cffa8c37736ebfb831ad5ec.
There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208.
A local user could use any of these flaws to crash the system or potentially escalate their privileges on the system.
Similar CVE-2023-4128 was rejected as a duplicate.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-08-07 CVE Reserved
- 2023-09-06 CVE Published
- 2023-09-12 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
- CAPEC-233: Privilege Escalation
References (6)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html | Mailing List | |
https://www.debian.org/security/2023/dsa-5492 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-4207 | 2024-01-16 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2225511 | 2024-01-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.18 < 4.14.326 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.18 < 4.14.326" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 4.19.295 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.295" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.20 < 5.4.253 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.253" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5 < 5.10.190 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.190" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.11 < 5.15.126 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.126" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.16 < 6.1.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.1.45" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.2 < 6.4.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.4.10" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0" | - |
Affected
|