Linux Kernel TUN/TAP OOB MemAccess PrivEsc via Malicious Packet
CVE-2023-3812 Published on July 24, 2023

Kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags
An out-of-bounds memory access flaw was found in the Linux kernels TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-3812 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

LOCAL

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Timeline

2023-07-19

Reported to Red Hat.

2022-10-22

Made public.

Weakness Type

What is a Memory Corruption Vulnerability?

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2023-3812 has been classified to as a Memory Corruption vulnerability or weakness.

Products Associated with CVE-2023-3812

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-3812 are published in these products:

Linux Kernel

Red Hat Enterprise Linux (RHEL)

Red Hat Rhel E4s

Red Hat Rhel Aus

Red Hat Rhel Tus

Red Hat Rhel Eus

Red Hat Rhev Hypervisor

Affected Versions

Red Hat Enterprise Linux 8:

Version 0:4.18.0-513.9.1.rt7.311.el8_9 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:4.18.0-513.9.1.el8_9 and below * is unaffected.

Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions:

Version 0:4.18.0-147.94.1.el8_1 and below * is unaffected.

Red Hat Enterprise Linux 8.2 Advanced Update Support:

Version 0:4.18.0-193.133.1.el8_2 and below * is unaffected.

Red Hat Enterprise Linux 8.2 Telecommunications Update Service:

Version 0:4.18.0-193.133.1.rt13.184.el8_2 and below * is unaffected.

Red Hat Enterprise Linux 8.2 Telecommunications Update Service:

Version 0:4.18.0-193.133.1.el8_2 and below * is unaffected.

Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions: Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions:

Version 0:4.18.0-193.133.1.el8_2 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support:

Version 0:4.18.0-305.120.1.el8_4 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Telecommunications Update Service:

Version 0:4.18.0-305.120.1.rt7.196.el8_4 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Telecommunications Update Service:

Version 0:4.18.0-305.120.1.el8_4 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions:

Version 0:4.18.0-305.120.1.el8_4 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions: Red Hat Enterprise Linux 8.6 Extended Update Support: Red Hat Enterprise Linux 8.6 Extended Update Support:

Version 0:4.18.0-372.87.1.el8_6 and below * is unaffected.

Red Hat Enterprise Linux 8.8 Extended Update Support: Red Hat Enterprise Linux 8.8 Extended Update Support:

Version 0:4.18.0-477.43.1.el8_8 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:5.14.0-362.18.1.el9_3 and below * is unaffected.

Red Hat Enterprise Linux 9: Red Hat Enterprise Linux 9:

Version 0:5.14.0-362.18.1.el9_3 and below * is unaffected.

Red Hat Enterprise Linux 9.0 Extended Update Support:

Version 0:5.14.0-70.80.1.el9_0 and below * is unaffected.

Red Hat Enterprise Linux 9.0 Extended Update Support:

Version 0:5.14.0-70.80.1.rt21.151.el9_0 and below * is unaffected.

Red Hat Enterprise Linux 9.0 Extended Update Support: Red Hat Enterprise Linux 9.2 Extended Update Support:

Version 0:5.14.0-284.40.1.el9_2 and below * is unaffected.

Red Hat Enterprise Linux 9.2 Extended Update Support:

Version 0:5.14.0-284.40.1.rt14.325.el9_2 and below * is unaffected.

Red Hat Enterprise Linux 9.2 Extended Update Support: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8:

Version 0:4.18.0-372.87.1.el8_6 and below * is unaffected.

Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 9:

Exploit Probability

EPSS

0.01%

Percentile

0.66%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Linux Kernel TUN/TAP OOB MemAccess PrivEsc via Malicious PacketCVE-2023-3812 Published on July 24, 2023

Vulnerability Analysis

Timeline

Weakness Type

What is a Memory Corruption Vulnerability?

Products Associated with CVE-2023-3812

Affected Versions

Exploit Probability

Linux Kernel TUN/TAP OOB MemAccess PrivEsc via Malicious Packet
CVE-2023-3812 Published on July 24, 2023