PT-2023-1655 · Linux+8 · Linux Kernel+8

Slipper

·

Published

2018-04-06

·

Updated

2025-01-09

·

CVE-2023-0461

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux Kernel (affected versions not specified)
Description There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability, kernel configuration flag CONFIG TLS or CONFIG XFRM ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk ulp data of a struct inet connection sock. When CONFIG TLS is enabled, a user can install a tls context on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP ULP operation does not require any privilege.
Recommendations We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c. As a temporary workaround, consider disabling the CONFIG TLS or CONFIG XFRM ESPINTCP kernel configuration flags until a patch is available. Restrict access to the setsockopt TCP ULP operation to minimize the risk of exploitation. Avoid using the tls context on a connected tcp socket until the issue is resolved.

Fix

LPE

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2023:2148
ALSA-2023:2458
ALSA-2023:2736
ALSA-2023:2951
ALT-PU-2018-1557
ALT-PU-2019-1139
ALT-PU-2019-1363
ALT-PU-2020-1145
ALT-PU-2020-1251
ALT-PU-2020-2164
ALT-PU-2021-1447
ALT-PU-2021-1525
ALT-PU-2021-1869
ALT-PU-2021-1888
ALT-PU-2021-1896
ALT-PU-2022-1175
ALT-PU-2022-1647
ALT-PU-2022-2155
ALT-PU-2023-1039
ALT-PU-2023-1048
ALT-PU-2023-1059
ALT-PU-2023-1060
ALT-PU-2023-1066
ALT-PU-2023-1070
ALT-PU-2023-1126
ALT-PU-2023-1128
ALT-PU-2023-1154
ALT-PU-2023-1155
ALT-PU-2023-1378
ALT-PU-2023-7007
ALT-PU-2023-7682
AZL-25353
BDU:2023-01200
CESA-2023_2736
CESA-2023_2951
CVE-2023-0461
DLA-3403-1
DLA-3404-1
LSN-0093-1
OESA-2023-1173
OESA-2023-1174
OESA-2023-1177
OESA-2023-1178
OPENSUSE-SU-2023_0774-1
OPENSUSE-SU-2023_2646-1
OPENSUSE-SU-2023_2871-1
OPENSUSE-SU-2023_4882-1
RHSA-2023:1556
RHSA-2023:1557
RHSA-2023:1662
RHSA-2023:1841
RHSA-2023:1923
RHSA-2023:2148
RHSA-2023:2458
RHSA-2023:2736
RHSA-2023:2951
RHSA-2023:3190
RHSA-2023:3191
RHSA-2023:3465
RHSA-2023:3470
RHSA-2023:3490
RHSA-2023:3491
RHSA-2023:4125
RHSA-2023:4126
RHSA-2023:4146
RHSA-2023_2148
RHSA-2023_2458
RHSA-2023_2736
RHSA-2023_2951
SUSE-SU-2023:0749-1
SUSE-SU-2023:0749-2
SUSE-SU-2023:0774-1
SUSE-SU-2023:1608-1
SUSE-SU-2023:1609-1
SUSE-SU-2023:1710-1
SUSE-SU-2023:1800-1
SUSE-SU-2023:1811-1
SUSE-SU-2023:1892-1
SUSE-SU-2023:2371-1
SUSE-SU-2023:2384-1
SUSE-SU-2023:2405-1
SUSE-SU-2023:2416-1
SUSE-SU-2023:2423-1
SUSE-SU-2023:2425-1
SUSE-SU-2023:2431-1
SUSE-SU-2023:2443-1
SUSE-SU-2023:2448-1
SUSE-SU-2023:2455-1
SUSE-SU-2023:2468-1
SUSE-SU-2023:2646-1
SUSE-SU-2023:2809-1
SUSE-SU-2023:2871-1
SUSE-SU-2023:4735-1
SUSE-SU-2023:4784-1
SUSE-SU-2023:4882-1
SUSE-SU-2023:4883-1
SUSE-SU-2023_4735-1
SUSE-SU-2023_4784-1
SUSE-SU-2023_4882-1
SUSE-SU-2023_4883-1
SUSE-SU-2024:1039-1
SUSE-SU-2024:1097-1
USN-5883-1
USN-5911-1
USN-5912-1
USN-5913-1
USN-5914-1
USN-5915-1
USN-5917-1
USN-5919-1
USN-5920-1
USN-5924-1
USN-5925-1
USN-5927-1
USN-5929-1
USN-5934-1
USN-5935-1
USN-5938-1
USN-5939-1
USN-5940-1
USN-5941-1
USN-5950-1
USN-5951-1
USN-5962-1
USN-5975-1
USN-5976-1
USN-6000-1
USN-6007-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linux Kernel
Linuxmint
Red Hat
Suse
Ubuntu