Two exploits discovered in the public domain, which involve a previously unknown vulnerability in the n_gsm driver, which is part of the Linux kernel. The vulnerability allows an unprivileged local user to execute code at the kernel level and raise their privileges in the system. No CVE ID assigned. The problem remains uncorrected for now.
The n_gsm driver provides an implementation of the GSM 07.10 protocol used in GSM modems for multiplexing serial port connections. The vulnerability is caused by a race condition in the GSMIOC_SETCONF_DLCI ioctl handler used to update the DLCI (Data Link Connection Identifier) configuration. By manipulating the ioctl, you can access the memory after it is released (use-after-free).
The exploit can be used on systems with Linux kernels starting from 5.15 and ending with 6.5. For example, successful root access is demonstrated in Fedora, Ubuntu 22.04 with the 6.5 kernel, and Debian 12 with the 6.1 kernel. Starting with the 6.6 kernel, CAP_NET_ADMIN access rights are required for exploitation. As a workaround for blocking the vulnerability, you can prevent automatic loading of the n_gsm kernel module by adding the line "blacklist n_gsm"to the /etc/modprobe.d/blacklist.conf file.
It is noteworthy that in January, information was disclosed about another vulnerability (CVE-2023-6546) in the n_gsm driver, for which an exploit is also publicly available. This vulnerability does not overlap with the first problem, although it is also caused by accessing memory after it is released when working with the gsm_dlci structure, but in the GSMIOC_SETCONF ioctl handler. The issue was fixed in August last year (the fix was included in the 6.5 kernel).
*****
Details of 0-day are disclosed and a PoC is available for a vulnerability affecting a Linux kernel module that supports the GSM 07.10 multiplexing protocol.
The researcher who discovered the vulnerability was initially divorced, promised 15k greenbacks, assigned authorship, but soon the fraud was revealed, and with it the details of 0-day.
The flaw can be used for privilege escalation attacks.
To date, no fixes have been submitted yet.
The n_gsm driver provides an implementation of the GSM 07.10 protocol used in GSM modems for multiplexing serial port connections. The vulnerability is caused by a race condition in the GSMIOC_SETCONF_DLCI ioctl handler used to update the DLCI (Data Link Connection Identifier) configuration. By manipulating the ioctl, you can access the memory after it is released (use-after-free).
The exploit can be used on systems with Linux kernels starting from 5.15 and ending with 6.5. For example, successful root access is demonstrated in Fedora, Ubuntu 22.04 with the 6.5 kernel, and Debian 12 with the 6.1 kernel. Starting with the 6.6 kernel, CAP_NET_ADMIN access rights are required for exploitation. As a workaround for blocking the vulnerability, you can prevent automatic loading of the n_gsm kernel module by adding the line "blacklist n_gsm"to the /etc/modprobe.d/blacklist.conf file.
It is noteworthy that in January, information was disclosed about another vulnerability (CVE-2023-6546) in the n_gsm driver, for which an exploit is also publicly available. This vulnerability does not overlap with the first problem, although it is also caused by accessing memory after it is released when working with the gsm_dlci structure, but in the GSMIOC_SETCONF ioctl handler. The issue was fixed in August last year (the fix was included in the 6.5 kernel).
*****
Details of 0-day are disclosed and a PoC is available for a vulnerability affecting a Linux kernel module that supports the GSM 07.10 multiplexing protocol.
The researcher who discovered the vulnerability was initially divorced, promised 15k greenbacks, assigned authorship, but soon the fraud was revealed, and with it the details of 0-day.
The flaw can be used for privilege escalation attacks.
To date, no fixes have been submitted yet.
