OpenCVE

Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Canonical	Snapd Ubuntu Linux

Configuration 1 [-]

cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:22.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:22.10::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:23.04:::::::*

No data.

References

Link	Providers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523
https://github.com/snapcore/snapd/pull/12849
https://marc.info/?l=oss-security&m=167879021709955&w=2
https://ubuntu.com/security/notices/USN-6125-1

History

Tue, 01 Oct 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2023-09-01T18:41:47.820Z

Updated: 2024-10-01T13:08:45.851Z

Reserved: 2023-03-20T17:41:17.600Z

Link: CVE-2023-1523

Vulnrichment

Updated: 2024-08-02T05:49:11.645Z

NVD

Status : Analyzed

Published: 2023-09-01T19:15:42.707

Modified: 2023-09-08T17:17:40.033

Link: CVE-2023-1523

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1523", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2023-03-20T17:41:17.600Z", "datePublished": "2023-09-01T18:41:47.820Z", "dateUpdated": "2024-10-01T13:08:45.851Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console."}], "affected": [{"vendor": "Canonical Ltd.", "product": "snapd", "platforms": ["Linux"], "collectionURL": "https://github.com/snapcore/snapd/releases", "packageName": "snapd", "repo": "https://github.com/snapcore/snapd", "versions": [{"status": "unaffected", "version": "2.59.5"}]}], "datePublic": "2023-05-25T00:00:00.000Z", "references": [{"tags": ["vendor-advisory"], "url": "https://ubuntu.com/security/notices/USN-6125-1"}, {"tags": ["issue-tracking"], "url": "https://github.com/snapcore/snapd/pull/12849"}, {"tags": ["mailing-list"], "url": "https://marc.info/?l=oss-security&m=167879021709955&w=2"}, {"tags": ["issue-tracking"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2023-09-01T18:41:47.820Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:49:11.645Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://ubuntu.com/security/notices/USN-6125-1"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://github.com/snapcore/snapd/pull/12849"}, {"tags": ["mailing-list", "x_transferred"], "url": "https://marc.info/?l=oss-security&m=167879021709955&w=2"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-01T13:08:37.894449Z", "id": "CVE-2023-1523", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T13:08:45.851Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://ubuntu.com/security/notices/USN-6125-1", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://github.com/snapcore/snapd/pull/12849", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://marc.info/?l=oss-security&m=167879021709955&w=2", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523", "tags": ["issue-tracking", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:49:11.645Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1523", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-01T13:08:37.894449Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T13:08:41.348Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"repo": "https://github.com/snapcore/snapd", "vendor": "Canonical Ltd.", "product": "snapd", "versions": [{"status": "unaffected", "version": "2.59.5"}], "platforms": ["Linux"], "packageName": "snapd", "collectionURL": "https://github.com/snapcore/snapd/releases"}], "datePublic": "2023-05-25T00:00:00.000Z", "references": [{"url": "https://ubuntu.com/security/notices/USN-6125-1", "tags": ["vendor-advisory"]}, {"url": "https://github.com/snapcore/snapd/pull/12849", "tags": ["issue-tracking"]}, {"url": "https://marc.info/?l=oss-security&m=167879021709955&w=2", "tags": ["mailing-list"]}, {"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console."}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2023-09-01T18:41:47.820Z"}}}, "cveMetadata": {"cveId": "CVE-2023-1523", "state": "PUBLISHED", "dateUpdated": "2024-10-01T13:08:45.851Z", "dateReserved": "2023-03-20T17:41:17.600Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2023-09-01T18:41:47.820Z", "assignerShortName": "canonical"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB4DC58F-3258-44BA-B2C2-228E98A40282", "versionEndExcluding": "2.59.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:esm:*:*:*", "matchCriteriaId": "B3293E55-5506-4587-A318-D1734F781C09", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*", "matchCriteriaId": "359012F1-2C63-415A-88B8-6726A87830DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.10:*:*:*:-:*:*:*", "matchCriteriaId": "47842532-D2B6-44CB-ADE2-4AC8630A4D8C", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*", "matchCriteriaId": "B2E702D7-F8C0-49BF-9FFB-883017076E98", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console."}, {"lang": "es", "value": "Utilizando la petici\u00f3n IOCTL de TIOCLINUX, un snap malicoso podr\u00eda inyectar contenido en la entrada del terminal de control, lo que podr\u00eda permitir que se ejecutaran comandos arbitrarios fuera del sandbox del snap despu\u00e9s de que \u00e9ste saliera. Los emuladores gr\u00e1ficos de terminal como xterm, gnome-terminal y otros no se ven afectados. Esto s\u00f3lo puede ser explotado cuando los snaps se ejecutan en una consola virtual. "}], "id": "CVE-2023-1523", "lastModified": "2023-09-08T17:17:40.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2023-09-01T19:15:42.707", "references": [{"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523"}, {"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/snapcore/snapd/pull/12849"}, {"source": "security@ubuntu.com", "tags": ["Exploit", "Mailing List"], "url": "https://marc.info/?l=oss-security&m=167879021709955&w=2"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://ubuntu.com/security/notices/USN-6125-1"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}