CVE-2023-0459 - OpenCVE

Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-372.9.1.rt7.166.el8	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2022:1975	2022-05-10T00:00:00Z
kernel-0:4.18.0-372.9.1.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:1988	2022-05-10T00:00:00Z

References

Link	Providers
https://github.com/torvalds/linux/commit/4b842e4e25b12951fa10dedb4bc16bc47e3b850c
https://github.com/torvalds/linux/commit/74e19ef0ff8061ef55957c3abd71614ef0f42f47
https://nvd.nist.gov/vuln/detail/CVE-2023-0459
https://www.cve.org/CVERecord?id=CVE-2023-0459

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2023-05-25T13:22:38.338Z

Updated: 2024-08-02T05:10:56.155Z

Reserved: 2023-01-24T09:43:39.956Z

Link: CVE-2023-0459

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-25T14:15:09.603

Modified: 2023-06-06T13:47:53.550

Link: CVE-2023-0459

Redhat

Severity : Low

Publid Date: 2020-02-15T06:30:00Z

Links: CVE-2023-0459 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0459", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-01-24T09:43:39.956Z", "datePublished": "2023-05-25T13:22:38.338Z", "dateUpdated": "2024-08-02T05:10:56.155Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "kernel", "platforms": ["64 bit"], "product": "Linux Kernel", "repo": "https://git.kernel.org", "vendor": "Linux", "versions": [{"lessThanOrEqual": "74e19ef0ff8061ef55957c3abd71614ef0f42f47", "status": "affected", "version": "4b842e4e25b12951fa10dedb4bc16bc47e3b850c", "versionType": "git"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47"}], "value": "Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit\u00a074e19ef0ff8061ef55957c3abd71614ef0f42f47"}], "impacts": [{"capecId": "CAPEC-129", "descriptions": [{"lang": "en", "value": "CAPEC-129 Pointer Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-763", "description": "CWE-763 Release of Invalid Pointer or Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2023-05-25T13:22:38.338Z"}, "references": [{"url": "https://github.com/torvalds/linux/commit/4b842e4e25b12951fa10dedb4bc16bc47e3b850c"}, {"url": "https://github.com/torvalds/linux/commit/74e19ef0ff8061ef55957c3abd71614ef0f42f47"}], "source": {"discovery": "UNKNOWN"}, "title": "Copy_from_user Spectre-V1 Gadget in Linux Kernel", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:10:56.155Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/torvalds/linux/commit/4b842e4e25b12951fa10dedb4bc16bc47e3b850c", "tags": ["x_transferred"]}, {"url": "https://github.com/torvalds/linux/commit/74e19ef0ff8061ef55957c3abd71614ef0f42f47", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "891AEAFE-6900-48E0-A0EA-B80FCE04588D", "versionEndExcluding": "4.14.307", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2513393F-113F-40C1-828E-542A55286974", "versionEndExcluding": "4.19.274", "versionStartIncluding": "4.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "01D7B24C-ACBF-43E4-BA77-9FAF9ECD6941", "versionEndExcluding": "5.4.233", "versionStartIncluding": "5.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A69105CF-22D5-4FE7-A3C6-C80D6CCD0E38", "versionEndExcluding": "5.10.170", "versionStartIncluding": "5.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5CC1A01-8B90-47FC-A28A-9F870D9F407E", "versionEndExcluding": "5.15.96", "versionStartIncluding": "5.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACB5D831-9547-4DFD-866F-DFFC1E72C13E", "versionEndExcluding": "6.1.14", "versionStartIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "876A1437-FED6-4A5F-A74C-42B5ACC15BC7", "versionEndExcluding": "6.2.1", "versionStartIncluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit\u00a074e19ef0ff8061ef55957c3abd71614ef0f42f47"}], "id": "CVE-2023-0459", "lastModified": "2023-06-06T13:47:53.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2023-05-25T14:15:09.603", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch"], "url": "https://github.com/torvalds/linux/commit/4b842e4e25b12951fa10dedb4bc16bc47e3b850c"}, {"source": "cve-coordination@google.com", "tags": ["Patch"], "url": "https://github.com/torvalds/linux/commit/74e19ef0ff8061ef55957c3abd71614ef0f42f47"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-763"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-763"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1975", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}, {"advisory": "RHSA-2022:1988", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-372.9.1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "kernel: Copy_from_user on 64-bit versions may leak kernel information", "id": "2216383", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216383"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-402", "details": ["Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit\u00a074e19ef0ff8061ef55957c3abd71614ef0f42f47", "A vulnerability was found in copy_from_user in 64-bit versions of the Linux kernel. This flaw allows a local attacker to bypass the \"access_ok\" sanity check and pass a kernel pointer to copy_from_user(), resulting in kernel data leaking."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-0459", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2020-02-15T06:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0459\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0459\nhttps://github.com/torvalds/linux/commit/4b842e4e25b12951fa10dedb4bc16bc47e3b850c"], "threat_severity": "Low", "upstream_fix": "Kernel 5.7-rc1"}