CVE-2023-5367

Xorg-x11-server: out-of-bounds write in xichangedeviceproperty/rrchangeoutputproperty

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.

Se encontró una falla de escritura fuera de los límites en el servidor xorg-x11. Este problema ocurre debido a un cálculo incorrecto de un desplazamiento del búfer al copiar datos almacenados en el montón en la función XIChangeDeviceProperty en Xi/xiproperty.c y en la función RRChangeOutputProperty en randr/rrproperty.c, lo que permite una posible escalada de privilegios o Denegación de Servicio (DoS). .

This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the XIChangeDeviceProperty function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.

*Credits: Jan-Niklas Sohn

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-03 CVE Reserved
2023-10-25 CVE Published
2024-09-16 CVE Updated
2024-09-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (30)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WS5E7H4A5J3U5YBCTMRPQVGWK5LVH7D	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RK66CXMXO3PCPDU3GDY5FK4UYHUXQJT	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YBK3I6SETHETBHDETFWM3VSZUQICIDV	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AKKIE626TZOOPD533EYN47J4RFNHZVOP	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HO2Q2NP6R62ZRQQG3XQ4AXUT7J2EKKKY	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L2RMNR4235YXZZQ2X7Q4MTOZDMZ7BBQU	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SEDJN4VFN57K5POOC7BNVD6L6WUUCSG6	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN6KV4XGQJRVAOSM5C3CWMVAXO53COIP	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJXNI4BXURC2BKPNAHFJK3C5ZETB7PER	Mailing List
https://security.gentoo.org/glsa/202401-30	Third Party Advisory
https://security.netapp.com/advisory/ntap-20231130-0004	Third Party Advisory
https://www.debian.org/security/2023/dsa-5534	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://lists.x.org/archives/xorg-announce/2023-October/003430.html	2024-05-22

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2023:6802	2024-05-22
https://access.redhat.com/errata/RHSA-2023:6808	2024-05-22
https://access.redhat.com/errata/RHSA-2023:7373	2024-05-22
https://access.redhat.com/errata/RHSA-2023:7388	2024-05-22
https://access.redhat.com/errata/RHSA-2023:7405	2024-05-22
https://access.redhat.com/errata/RHSA-2023:7428	2024-05-22
https://access.redhat.com/errata/RHSA-2023:7436	2024-05-22
https://access.redhat.com/errata/RHSA-2023:7526	2024-05-22
https://access.redhat.com/errata/RHSA-2023:7533	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0010	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0128	2024-05-22
https://access.redhat.com/errata/RHSA-2024:2169	2024-05-22
https://access.redhat.com/errata/RHSA-2024:2170	2024-05-22
https://access.redhat.com/errata/RHSA-2024:2995	2024-05-22
https://access.redhat.com/errata/RHSA-2024:2996	2024-05-22
https://access.redhat.com/security/cve/CVE-2023-5367	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2243091	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
X.org Search vendor "X.org"		X Server Search vendor "X.org" for product "X Server"				< 21.1.9 Search vendor "X.org" for product "X Server" and version " < 21.1.9"		-		Affected
X.org Search vendor "X.org"		Xwayland Search vendor "X.org" for product "Xwayland"				< 23.2.2 Search vendor "X.org" for product "Xwayland" and version " < 23.2.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"				7.0_s390x Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "7.0_s390x"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Big Endian Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian"				7.0_ppc64 Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian" and version "7.0_ppc64"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Little Endian Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"				7.0_ppc64le Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "7.0_ppc64le"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Scientific Computing Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing"				7.0 Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected