// For flags

CVE-2023-6546

Kernel: gsm multiplexing race condition leads to privilege escalation

Severity Score

7.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.

Se encontró una condición de ejecución en el multiplexor tty GSM 0710 en el kernel de Linux. Este problema ocurre cuando dos subprocesos ejecutan GSMIOC_SETCONF ioctl en el mismo descriptor de archivo tty con la disciplina de línea gsm habilitada y puede provocar un problema de use after free en una estructura gsm_dlci al reiniciar gsm mux. Esto podría permitir que un usuario local sin privilegios aumente sus privilegios en el sistema.

This vulnerability allows local attackers to execute arbitrary code on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the n_gsm driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.

*Credits: Nassim Asrir
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-12-06 CVE Reserved
  • 2023-12-21 CVE Published
  • 2024-05-08 EPSS Updated
  • 2024-09-13 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-416: Use After Free
CAPEC
References (31)
URL Tag Source
http://www.openwall.com/lists/oss-security/2024/04/10/18
http://www.openwall.com/lists/oss-security/2024/04/10/21
http://www.openwall.com/lists/oss-security/2024/04/11/7
http://www.openwall.com/lists/oss-security/2024/04/11/9
http://www.openwall.com/lists/oss-security/2024/04/12/1
http://www.openwall.com/lists/oss-security/2024/04/12/2
http://www.openwall.com/lists/oss-security/2024/04/16/2
http://www.openwall.com/lists/oss-security/2024/04/17/1
https://www.zerodayinitiative.com/advisories/ZDI-CAN-20527
URL Date SRC
URL Date SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2255498 2024-07-23
https://github.com/torvalds/linux/commit/3c4f8333b582487a2d1e02171f1465531cde53e3 2024-07-23
URL Date SRC
https://access.redhat.com/errata/RHSA-2024:0930 2024-07-23
https://access.redhat.com/errata/RHSA-2024:0937 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1018 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1019 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1055 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1250 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1253 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1306 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1607 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1612 2024-07-23
https://access.redhat.com/errata/RHSA-2024:1614 2024-07-23
https://access.redhat.com/errata/RHSA-2024:2093 2024-07-23
https://access.redhat.com/errata/RHSA-2024:2394 2024-07-23
https://access.redhat.com/errata/RHSA-2024:2621 2024-07-23
https://access.redhat.com/errata/RHSA-2024:2697 2024-07-23
https://access.redhat.com/errata/RHSA-2024:4577 2024-07-23
https://access.redhat.com/errata/RHSA-2024:4729 2024-07-23
https://access.redhat.com/errata/RHSA-2024:4731 2024-07-23
https://access.redhat.com/security/cve/CVE-2023-6546 2024-07-23
https://access.redhat.com/errata/RHSA-2024:4970 2024-09-13
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 6.5
Search vendor "Linux" for product "Linux Kernel" and version " < 6.5"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 6.5
Search vendor "Linux" for product "Linux Kernel" and version "6.5"
rc1
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 6.5
Search vendor "Linux" for product "Linux Kernel" and version "6.5"
rc2
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 6.5
Search vendor "Linux" for product "Linux Kernel" and version "6.5"
rc3
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 6.5
Search vendor "Linux" for product "Linux Kernel" and version "6.5"
rc4
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 6.5
Search vendor "Linux" for product "Linux Kernel" and version "6.5"
rc5
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 6.5
Search vendor "Linux" for product "Linux Kernel" and version "6.5"
rc6
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 39
Search vendor "Fedoraproject" for product "Fedora" and version "39"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 9.0
Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"
-
Affected