Bug 2176192 (CVE-2023-0461) - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets
Summary: CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets
Keywords:
Status: NEW
Alias: CVE-2023-0461
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2162758 2176815 2176941 2176942 2176943 2176944 2176945 2176946 2176947 2176948 2176949 2176950 2176952 2176953 2176954 2176955 2176956 2176957 2176958 2176959 2176960 2176961 2176962 2176963 2176964 2176965 2176966 2176967 2176968 2176969 2176970 2178010 2186424
Blocks: 2176193 2176801
TreeView+ depends on / blocked
 
Reported: 2023-03-07 15:49 UTC by Mauro Matteo Cascella
Modified: 2024-02-07 13:15 UTC (History)
49 users (show)

Fixed In Version: kernel 6.2-rc3
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s TLS protocol functionality in how a user installs a tls context (struct tls_context) on a connected TCP socket. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2023-03-09 15:24:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1556 0 None None None 2023-04-04 06:52:19 UTC
Red Hat Product Errata RHSA-2023:1557 0 None None None 2023-04-04 06:55:25 UTC
Red Hat Product Errata RHSA-2023:1662 0 None None None 2023-04-05 13:43:01 UTC
Red Hat Product Errata RHSA-2023:1841 0 None None None 2023-04-18 16:34:31 UTC
Red Hat Product Errata RHSA-2023:1923 0 None None None 2023-04-21 08:17:48 UTC
Red Hat Product Errata RHSA-2023:2148 0 None None None 2023-05-09 07:13:00 UTC
Red Hat Product Errata RHSA-2023:2458 0 None None None 2023-05-09 07:51:30 UTC
Red Hat Product Errata RHSA-2023:2736 0 None None None 2023-05-16 08:06:19 UTC
Red Hat Product Errata RHSA-2023:2951 0 None None None 2023-05-16 08:35:05 UTC
Red Hat Product Errata RHSA-2023:3190 0 None None None 2023-05-17 15:23:50 UTC
Red Hat Product Errata RHSA-2023:3191 0 None None None 2023-05-17 15:23:59 UTC
Red Hat Product Errata RHSA-2023:3465 0 None None None 2023-06-06 08:46:39 UTC
Red Hat Product Errata RHSA-2023:3470 0 None None None 2023-06-06 08:45:49 UTC
Red Hat Product Errata RHSA-2023:3490 0 None None None 2023-06-06 13:37:37 UTC
Red Hat Product Errata RHSA-2023:3491 0 None None None 2023-06-06 14:11:56 UTC
Red Hat Product Errata RHSA-2023:4125 0 None None None 2023-07-18 07:45:01 UTC
Red Hat Product Errata RHSA-2023:4126 0 None None None 2023-07-18 07:44:56 UTC
Red Hat Product Errata RHSA-2023:4146 0 None None None 2023-07-18 08:21:27 UTC

Description Mauro Matteo Cascella 2023-03-07 15:49:23 UTC 
NVD description: There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege.

Upstream commit:
https://github.com/torvalds/linux/commit/2c02d41d71f90a5168391b6a5f2954112ba2307c
Comment 2 Alex 2023-03-09 11:40:13 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2176815]
Comment 4 Product Security DevOps Team 2023-03-09 15:24:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0461
Comment 39 Justin M. Forbes 2023-03-14 18:43:15 UTC 
This was fixed for Fedora with the 6.1.5 stable kernel updates.
Comment 42 errata-xmlrpc 2023-04-04 06:52:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1556 https://access.redhat.com/errata/RHSA-2023:1556
Comment 43 errata-xmlrpc 2023-04-04 06:55:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1557 https://access.redhat.com/errata/RHSA-2023:1557
Comment 44 errata-xmlrpc 2023-04-05 13:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1662 https://access.redhat.com/errata/RHSA-2023:1662
Comment 51 errata-xmlrpc 2023-04-18 16:34:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1841 https://access.redhat.com/errata/RHSA-2023:1841
Comment 52 errata-xmlrpc 2023-04-21 08:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1923 https://access.redhat.com/errata/RHSA-2023:1923
Comment 55 errata-xmlrpc 2023-05-09 07:12:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148
Comment 56 errata-xmlrpc 2023-05-09 07:51:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458
Comment 57 errata-xmlrpc 2023-05-16 08:06:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2736 https://access.redhat.com/errata/RHSA-2023:2736
Comment 58 errata-xmlrpc 2023-05-16 08:35:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2951 https://access.redhat.com/errata/RHSA-2023:2951
Comment 59 errata-xmlrpc 2023-05-17 15:23:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:3190 https://access.redhat.com/errata/RHSA-2023:3190
Comment 60 errata-xmlrpc 2023-05-17 15:23:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:3191 https://access.redhat.com/errata/RHSA-2023:3191
Comment 61 errata-xmlrpc 2023-06-06 08:45:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3470 https://access.redhat.com/errata/RHSA-2023:3470
Comment 62 errata-xmlrpc 2023-06-06 08:46:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3465 https://access.redhat.com/errata/RHSA-2023:3465
Comment 63 errata-xmlrpc 2023-06-06 13:37:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3490 https://access.redhat.com/errata/RHSA-2023:3490
Comment 64 errata-xmlrpc 2023-06-06 14:11:52 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:3491 https://access.redhat.com/errata/RHSA-2023:3491
Comment 66 errata-xmlrpc 2023-07-18 07:44:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4125 https://access.redhat.com/errata/RHSA-2023:4125
Comment 67 errata-xmlrpc 2023-07-18 07:44:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4126 https://access.redhat.com/errata/RHSA-2023:4126
Comment 68 errata-xmlrpc 2023-07-18 08:21:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:4146 https://access.redhat.com/errata/RHSA-2023:4146
Note You need to log in before you can comment on or make changes to this bug.