CVE-2023-6200 - OpenCVE

A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.7:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.7:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.7:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.7:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.7:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.7:rc6::::::

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2023-6200
https://bugzilla.redhat.com/show_bug.cgi?id=2250377
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dade3f6a1e4e
https://nvd.nist.gov/vuln/detail/CVE-2023-6200
https://www.cve.org/CVERecord?id=CVE-2023-6200

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-01-28T12:19:24.885Z

Updated: 2024-08-02T08:21:18.007Z

Reserved: 2023-11-20T09:44:39.245Z

Link: CVE-2023-6200

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-28T13:15:07.817

Modified: 2024-02-02T15:38:42.870

Link: CVE-2023-6200

Redhat

Severity : Important

Publid Date: 2023-12-21T00:00:00Z

Links: CVE-2023-6200 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6200", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-11-20T09:44:39.245Z", "datePublished": "2024-01-28T12:19:24.885Z", "dateUpdated": "2024-08-02T08:21:18.007Z"}, "containers": {"cna": {"title": "Kernel: icmpv6 router advertisement packets, aka linux tcp/ip remote code execution vulnerability", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution."}], "affected": [{"product": "kernel", "vendor": "n/a", "versions": [{"version": "6.7-rc7", "status": "unaffected"}]}, {"product": "kernel", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel-rt", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel-rt", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel-rt", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat Virtualization 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kernel", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:enterprise_linux:8::hypervisor"]}, {"product": "Fedora", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "kernel", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-6200", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250377", "name": "RHBZ#2250377", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dade3f6a1e4e"}], "datePublic": "2023-12-21T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "description": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "workarounds": [{"lang": "en", "value": "The remote attack is potentially possible in the local network only. It is not possible if param\nnet.ipv6.conf.[NIC].accept_ra\ndisabled. Check this param value with the command\ncat /proc/sys/net/ipv6/conf/default/accept_ra\nor /proc/sys/net/ipv6/conf/eth0/accept_ra\n(where eth0 is the name of the networking interface).\nIf you cannot run this or a similar command and parameter accept_ra is not available, then IPV6 is disabled.\nIf IPV6 is not being used, it is possible to disable it completely, and there is instruction on how to do this:\nhttps://access.redhat.com/solutions/8709"}], "timeline": [{"lang": "en", "time": "2023-11-17T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-12-21T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Lucas Leong (Trend Micro Zero Day Initiative) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-02-02T15:44:56.695Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:18.007Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-6200", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250377", "name": "RHBZ#2250377", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dade3f6a1e4e", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "668F5607-E136-4E8E-86F2-316E9DC41ADC", "versionEndExcluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.7:rc1:*:*:*:*:*:*", "matchCriteriaId": "3A0038DE-E183-4958-A6E3-CE3821FEAFBF", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.7:rc2:*:*:*:*:*:*", "matchCriteriaId": "E31AD4FC-436C-44AB-BCAB-3A0B37F69EE0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.7:rc3:*:*:*:*:*:*", "matchCriteriaId": "C56C6E04-4F04-44A3-8DB8-93899903CFCF", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.7:rc4:*:*:*:*:*:*", "matchCriteriaId": "5C78EDA4-8BE6-42FC-9512-49032D525A55", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.7:rc5:*:*:*:*:*:*", "matchCriteriaId": "32F2E5CA-13C6-4601-B530-D465CBF73D1C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.7:rc6:*:*:*:*:*:*", "matchCriteriaId": "5ED5AF93-F831-48BC-9545-CCB344E814FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution."}, {"lang": "es", "value": "Se encontr\u00f3 una condici\u00f3n de ejecuci\u00f3n en el kernel de Linux. Bajo ciertas condiciones, un atacante no autenticado de una red adyacente podr\u00eda enviar un paquete de publicidad de enrutador ICMPv6, provocando la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2023-6200", "lastModified": "2024-02-02T15:38:42.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-01-28T13:15:07.817", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-6200"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250377"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dade3f6a1e4e"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-362"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Lucas Leong (Trend Micro Zero Day Initiative) for reporting this issue.", "bugzilla": {"description": "kernel: ICMPv6 Router Advertisement packets, aka Linux TCP/IP Remote Code Execution Vulnerability", "id": "2250377", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250377"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.", "A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "The remote attack is potentially possible in the local network only. It is not possible if param\nnet.ipv6.conf.[NIC].accept_ra\ndisabled. Check this param value with the command\ncat /proc/sys/net/ipv6/conf/default/accept_ra\nor /proc/sys/net/ipv6/conf/eth0/accept_ra\n(where eth0 is the name of the networking interface).\nIf you cannot run this or a similar command and parameter accept_ra is not available, then IPV6 is disabled.\nIf IPV6 is not being used, it is possible to disable it completely, and there is instruction on how to do this:\nhttps://access.redhat.com/solutions/8709"}, "name": "CVE-2023-6200", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Virtualization 4"}], "public_date": "2023-12-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-6200\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6200\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dade3f6a1e4e"], "statement": "To trigger this issue, the attacker must be on the local network, IPV6, and the parameter net.ipv6.conf must be enabled.[NIC].accept_ra enabled. By default, net.ipv6.conf.[NIC].accept_ra is disabled for Red Hat Enterprise Linux. In the default configuration, only local attacks are possible. The bug was introduced upstream by commit 3dec89b14d37 (\"net/ipv6: Remove expired routes with a separated list of routes.\").", "threat_severity": "Important", "upstream_fix": "kernel 6.7-rc7"}