5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.2 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.1%
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: force RO when remounting if SetVariable is not supported If
SetVariable at runtime is not supported by the firmware we never assign a
callback for that function. At the same time mount the efivarfs as RO so no
one can call that. However, we never check the permission flags when
someone remounts the filesystem as RW. As a result this leads to a crash
looking like this: $ mount -o remount,rw /sys/firmware/efi/efivars $
efi-updatevar -f PK.auth PK [ 303.279166] Unable to handle kernel NULL
pointer dereference at virtual address 0000000000000000 [ 303.280482] Mem
abort info: [ 303.280854] ESR = 0x0000000086000004 [ 303.281338] EC = 0x21:
IABT (current EL), IL = 32 bits [ 303.282016] SET = 0, FnV = 0 [
303.282414] EA = 0, S1PTW = 0 [ 303.282821] FSC = 0x04: level 0 translation
fault [ 303.283771] user pgtable: 4k pages, 48-bit VAs,
pgdp=000000004258c000 [ 303.284913] [0000000000000000]
pgd=0000000000000000, p4d=0000000000000000 [ 303.286076] Internal error:
Oops: 0000000086000004 [#1] PREEMPT SMP [ 303.286936] Modules linked in:
qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse
ip_tables x_tables ipv6 [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar
Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1 [ 303.289748] Hardware name:
Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d
04/01/2023 [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT
-SSBS BTYPE=–) [ 303.292123] pc : 0x0 [ 303.292443] lr :
efivar_set_variable_locked+0x74/0xec [ 303.293156] sp : ffff800008673c10 [
303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27:
0000000000000000 [ 303.294592] x26: 0000000000000800 x25: ffff000002467400
x24: 0000000000000027 [ 303.295572] x23: ffffd49ea9832000 x22:
ffff0000020c9800 x21: ffff000002467000 [ 303.296566] x20: 0000000000000001
x19: 00000000000007fc x18: 0000000000000000 [ 303.297531] x17:
0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54 [ 303.298495]
x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4 [
303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 :
0000000000000002 [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230
x6 : 0000000000a85201 [ 303.301412] x5 : 0000000000000000 x4 :
ffff0000020c9800 x3 : 00000000000007fc [ 303.302370] x2 : 0000000000000027
x1 : ffff000002467400 x0 : ffff000002467000 [ 303.303341] Call trace: [
303.303679] 0x0 [ 303.303938] efivar_entry_set_get_size+0x98/0x16c [
303.304585] efivarfs_file_write+0xd0/0x1a4 [ 303.305148]
vfs_write+0xc4/0x2e4 [ 303.305601] ksys_write+0x70/0x104 [ 303.306073]
__arm64_sys_write+0x1c/0x28 [ 303.306622] invoke_syscall+0x48/0x114 [
303.307156] el0_svc_common.constprop.0+0x44/0xec [ 303.307803]
do_el0_svc+0x38/0x98 [ 303.308268] el0_svc+0x2c/0x84 [ 303.308702]
el0t_64_sync_handler+0xf4/0x120 [ 303.309293] el0t_64_sync+0x190/0x194 [
303.309794] Code: ??? ??? ??? ??? (???) [
303.310612] —[ end trace 0000000000000000 ]— Fix this by adding a
.reconfigure() function to the fs operations which we can use to check the
requested flags and deny anything that’s not RO if the firmware doesn’t
implement SetVariable at runtime.
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux | < 5.15.0-102.112 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-7.7 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1057.63 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1021.21 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1057.63~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1060.69 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-azure | < 6.5.0-1022.23 | UNKNOWN |
git.kernel.org/stable/c/0049fe7e4a85849bdd778cdb72e51a791ff3d737
git.kernel.org/stable/c/0e8d2444168dd519fea501599d150e62718ed2fe
git.kernel.org/stable/c/2aa141f8bc580f8f9811dfe4e0e6009812b73826
git.kernel.org/stable/c/94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8
git.kernel.org/stable/c/d4a714873db0866cc471521114eeac4a5072d548
git.kernel.org/stable/c/d4a9aa7db574a0da64307729cc031fb68597aa8b
launchpad.net/bugs/cve/CVE-2023-52463
nvd.nist.gov/vuln/detail/CVE-2023-52463
security-tracker.debian.org/tracker/CVE-2023-52463
ubuntu.com/security/notices/USN-6688-1
ubuntu.com/security/notices/USN-6725-1
ubuntu.com/security/notices/USN-6725-2
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6819-4
www.cve.org/CVERecord?id=CVE-2023-52463
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.2 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.1%