CVE-2023-6816

Xorg-x11-server: heap buffer overflow in devicefocusevent and procxiquerypointer

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.

Se encontró un fallo en el servidor X.Org. Tanto DeviceFocusEvent como la respuesta de XIQueryPointer contienen un bit para cada botón lógico actualmente presionado. Los botones se pueden asignar arbitrariamente a cualquier valor hasta 255, pero el servidor X.Org solo asignaba espacio para la cantidad particular de botones del dispositivo, lo que provocaba un desbordamiento de búfer en la región Heap de la memoria si se usaba un valor mayor.

This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of SetInputFocus requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.

USN-6587-1 fixed vulnerabilities in X.Org X Server. The fix was incomplete resulting in a possible regression. This update fixes the problem. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled reattaching to a different master device. An attacker could use this issue to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code. Olivier Fourdan and Donn Seeley discovered that the X.Org X Server incorrectly labeled GLX PBuffers when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. Olivier Fourdan discovered that the X.Org X Server incorrectly handled the curser code when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the XISendDeviceHierarchyEvent API. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled devices being disabled. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code.

*Credits: Red Hat would like to thank Jan-Niklas Sohn (Trend Micro Zero Day Initiative) for reporting this issue.

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-14 CVE Reserved
2024-01-17 CVE Published
2024-11-23 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (22)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/01/msg00016.html	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J4H7CH565ALSZZYKOJFYDA5KFLG6NUK	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZ75X54CN4IFYMIV7OK3JVZ57FHQIGIC
https://security.gentoo.org/glsa/202401-30
https://security.netapp.com/advisory/ntap-20240307-0006

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2024/01/18/1	2024-05-22

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:0320	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0557	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0558	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0597	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0607	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0614	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0617	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0621	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0626	2024-05-22
https://access.redhat.com/errata/RHSA-2024:0629	2024-05-22
https://access.redhat.com/errata/RHSA-2024:2169	2024-05-22
https://access.redhat.com/errata/RHSA-2024:2170	2024-05-22
https://access.redhat.com/errata/RHSA-2024:2996	2024-05-22
https://access.redhat.com/security/cve/CVE-2023-6816	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2257691	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
X.org Search vendor "X.org"		Xorg-server Search vendor "X.org" for product "Xorg-server"				< 21.1.11 Search vendor "X.org" for product "Xorg-server" and version " < 21.1.11"		-		Affected
X.org Search vendor "X.org"		Xwayland Search vendor "X.org" for product "Xwayland"				< 23.2.4 Search vendor "X.org" for product "Xwayland" and version " < 23.2.4"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected