CVE-2023-5369 - OpenCVE

Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability. This incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that file descriptor.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Freebsd	Freebsd

Configuration 1 [-]

cpe:2.3:o:freebsd:freebsd:13.2:-:*:*:*:*:*:*

References

Link	Resource
https://security.FreeBSD.org/advisories/FreeBSD-SA-23:13.capsicum.asc	Vendor Advisory
https://security.netapp.com/advisory/ntap-20231124-0009/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: freebsd

Published: 2023-10-04T03:48:53.559Z

Updated: 2023-10-04T03:53:02.846Z

Reserved: 2023-10-03T21:25:17.658Z

Link: CVE-2023-5369

JSON object: View

NVD Information

Status : Modified

Published: 2023-10-04T04:15:14.627

Modified: 2023-11-24T09:15:09.607

Link: CVE-2023-5369

JSON object: View

Redhat Information

No data.

CWE

CWE-273

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5369", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2023-10-03T21:25:17.658Z", "datePublished": "2023-10-04T03:48:53.559Z", "dateUpdated": "2023-10-04T03:53:02.846Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["capsicum"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"lessThan": "p4", "status": "affected", "version": "13.2-RELEASE", "versionType": "release"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David Chisnall"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Before correction, the <tt>copy_file_range</tt> system call checked only for the <tt>CAP_READ</tt> and <tt>CAP_WRITE</tt> capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the <tt>CAP_SEEK</tt> capability.</p><p>This incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that file descriptor.<br></p>"}], "value": "Before correction, the\u00a0copy_file_range\u00a0system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability.\n\nThis incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that file descriptor."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-273", "description": "CWE-273 Improper Check for Dropped Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2023-10-04T03:53:02.846Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:13.capsicum.asc"}, {"url": "https://security.netapp.com/advisory/ntap-20231124-0009/"}], "source": {"discovery": "UNKNOWN"}, "title": "copy_file_range insufficient capability rights check", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:-:*:*:*:*:*:*", "matchCriteriaId": "A87EFA20-DD6B-41C5-98FD-A29F67D2E732", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Before correction, the\u00a0copy_file_range\u00a0system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability.\n\nThis incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that file descriptor."}, {"lang": "es", "value": "Antes de la correcci\u00f3n, la llamada al sistema copy_file_range verific\u00f3 solo las capabilities CAP_READ y CAP_WRITE en los descriptores de archivos de entrada y salida, respectivamente. Usar un desplazamiento es l\u00f3gicamente equivalente a buscar, y la llamada al sistema debe requerir adicionalmente la capability CAP_SEEK. Esta verificaci\u00f3n de privilegios incorrecta permiti\u00f3 que los procesos aislados con solo lectura o escritura pero sin capacidad de b\u00fasqueda en un descriptor de archivo leyeran o escribieran datos en una ubicaci\u00f3n arbitraria dentro del archivo correspondiente a ese descriptor de archivo."}], "id": "CVE-2023-5369", "lastModified": "2023-11-24T09:15:09.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-04T04:15:14.627", "references": [{"source": "secteam@freebsd.org", "tags": ["Vendor Advisory"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:13.capsicum.asc"}, {"source": "secteam@freebsd.org", "url": "https://security.netapp.com/advisory/ntap-20231124-0009/"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-273"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-273"}], "source": "secteam@freebsd.org", "type": "Secondary"}]}