1.9 KiB
CVE-2023-0461
Description
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.The setsockopt TCP_ULP operation does not require any privilege.We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
POC
Reference
Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/EGI-Federation/SVG-advisories
- https://github.com/borzakovskiy/CoolSols
- https://github.com/c0debatya/CoolSols
- https://github.com/hheeyywweellccoommee/linux-4.19.72_CVE-2023-0461-ycnbd
- https://github.com/hshivhare67/kernel_v4.19.72_CVE-2023-0461
- https://github.com/nidhi7598/linux-4.19.72_CVE-2023-0461
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/rockrid3r/CoolSols
- https://github.com/sysca11/CoolSols
- https://github.com/xairy/linux-kernel-exploitation